b'       U.S. DEPARTMENT OF LABOR\n     GENERAL CONTROLS REVIEW OF\n      SELECTED FINANCIAL SYSTEMS\nDETAILED FINDINGS AND RECOMMENDATIONS\n            REPORT TO THE CIO\n              September 30, 2000\n\n\n\n\n                    U.S. Department of Labor\n                    Office of Inspector General\n                    Report Number: 22-01-010-07-001\n                    Date Issued: February 28, 2001\n\x0cFINDINGS AND RECOMMENDATIONS\nREPORTABLE CONDITIONS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1\n\nOFFICE OF THE CHIEF FINANCIAL OFFICER (OCFO) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7\n\nEMPLOYMENT STANDARDS ADMINISTRATION (ESA) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25\n\nMINE SAFETY AND HEALTH ADMINISTRATION (MSHA) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48\n\nOFFICE OF THE ASSISTANT SECRETARY FOR ADMINISTRATION\n       AND MANAGEMENT (OASAM) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74\n\nOCCUPATIONAL SAFETY AND HEALTH ADMINISTRATION (OSHA) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85\n\nEMPLOYMENT AND TRAINING ADMINISTRATION (ETA) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 94\n\x0cREPORTABLE CONDITIONS\n\nTo assess the general controls and security over the Electronic Data Processing (EDP) systems\nthat support the financial statements of the Department of Labor (DOL), we conducted reviews\nusing the guidance of the General Accounting Office\xe2\x80\x99s (GAO) Federal Information System\nControls Audit Manual (FISCAM). The FISCAM is divided into six general control categories:\n(a) entitywide security program planning and management (SP), (b) access controls (AC), (c)\napplication software development and change control (CC), (d) system software (SS), (e)\nsegregation of duties (SD), and (f) service continuity (SC). In order to provide coverage of the\nDOL\xe2\x80\x99s financial systems, we developed a 5-year strategy based on the functional areas of the\nfinancial statements. All systems were scheduled to receive at least one full FISCAM review and\nsome were scheduled for follow-up reviews in the SP & AC areas only. For FY 2000, we\nperformed various levels of review over 12 financial systems within 6 agencies using the\nFISCAM, as further explained below and within the agency specific sections of this report. The\nreportable conditions we noted were:\n\n\xe2\x80\xa2      DOL Needs to Strengthen Controls to Protect Its Information\n\n\xe2\x80\xa2      DOL Needs to Fully Implement a Systems Development Life Cycle Methodology\n\n\xe2\x80\xa2      DOL Needs to Complete and Fully Test Its Plan(s) for Maintaining Continuity of\n       Operations\n\n1.     DOL Needs to Strengthen Controls to Protect Its Information\n\nDuring our FY 2000 audit and our continuing review of prior audit issues over the past 3 years,\nwe have found that DOL\'s systems environment is exposed to various weaknesses in\nmanagement\'s procedures for assessing risks, implementing an effective security framework,\nperiodically monitoring its framework, timely resolving issues identified or reported upon, and\neffectively implementing and maintaining its access controls.\n\nThe Department has taken several key steps in strengthening its Information Systems security\narchitecture during the last year. The Department is updating its policies and procedures, issuing\nguidance and tracking agency compliance. However, the general areas where weaknesses were\nnoted are:\n\n\xe2\x80\xa2      agencies\xe2\x80\x99 ability to periodically perform risk assessments;\n\xe2\x80\xa2      entitywide Security programs and associated weaknesses in developing, implementing and\n       monitoring Local Area Network (LAN), distributed systems, and mainframe\n       environments;\n\xe2\x80\xa2      establishment of a Security Management Structure and Clear Assignments of\n       Responsibilities;\n\xe2\x80\xa2      implementation of Effective Security-Related Personnel Policies and Procedures;\n\n\n                                                 1\n\x0c\xe2\x80\xa2       certification and Accreditation of appropriate general support and major application\n        systems;\n\xe2\x80\xa2       resource owner\xe2\x80\x99s identification of authorized users and their access authorized;\n\xe2\x80\xa2       adequate logical controls over the configuration of security parameters, data files, and\n        software programs; and\n\xe2\x80\xa2       monitoring controls.\n\nThe GAO report, GAO/T-AIMD-00-314, highlights several critical factors about an agency\xe2\x80\x99s\nentitywide security program plan and access controls. GAO\'s report states, "Each organization\nneeds a set of management procedures and an organizational framework for identifying and\nassessing risks, deciding what policies and controls are needed, periodically evaluating the\neffectiveness of these policies and controls, and acting to address any identified weaknesses.\nThese are the fundamental activities that allow an organization to manage its information security\nrisks cost effectively, rather than react to individual problems in an ad-hoc manner only after a\nviolation has been detected or an audit finding reported.\xe2\x80\x9d The report further states that, "For\naccess controls to be effective, they must be properly implemented and maintained.\xe2\x80\x9d\n\nManagement\xe2\x80\x99s Response\n\nThe Department takes a \xe2\x80\x9crisk-based\xe2\x80\x9d approach to protecting its vital information systems.\nIn June 1999, the Department established a Critical Infrastructure Protection Plan (CIPP) as\nrequired by Presidential Decision Directive 63 (PDD-63). The CIPP is an action plan that\nidentifies roles and responsibilities, and provides the general time line for milestones, critical path,\nand supporting security activities for those systems whose loss or misuse would result in a severe\nimpact on the country\xe2\x80\x99s critical sectors. An analysis of the Department\xe2\x80\x99s systems was completed\nto identify those systems that were critical to mission operations. The system inventory was\nfurther refined by applying the critical asset identification criteria provided by GSA. The security\nfunctions addressed in the CIPP include critical infrastructure asset identification; vulnerability\nassessment; mitigation planning; emergency management; security policy administration; resource\nrequirements, recruitment, retention, education and awareness; and interagency coordination\nrequirements.\n\nIn addition to the critical asset activities outlined in the CIPP, the Department updated its overall\nentity-wide \xe2\x80\x9cDOL Cyber Security Program Plan\xe2\x80\x9d in October 1999, to address potential risks to all\ndepartmental information resources. The Cyber Security Program Plan built upon existing\ncapabilities, but represented a major refocusing of the Department\xe2\x80\x99s efforts to protect information\nresources and the information they process for better mission performance. The Cyber Security\nProgram provides a unified approach to the security of information resources, integrates a variety\nof technical and management disciplines, and provides security throughout the life cycles of\nsystems and the information they support. Security objectives, processes, resource requirements,\nroles and responsibilities, and potential issues are identified within the Cyber Security Program\nPlan. The security functions addressed in the Cyber Security Program include administration of\nsecurity policy and guidance, risk management, contingency planning, vulnerability analysis and\n\n\n                                                   2\n\x0cpenetration testing, incident response and reporting, and computer security awareness and\ntraining.\n\nThe Office of the Chief Information Officer has provided risk assessment training and guidance to\nthe agencies in order to achieve the milestones outlined within the Cyber Security Program Plan\nand CIPP. In accordance with Federal guidance, and as required by the CIPP and Cyber Security\nProgram Plan, each agency applied the systematic approach, documented in the Computer\nSecurity Handbook, to complete system security plans and risk assessments for those systems\nidentified as critical assets, major applications or general support systems.\n\nSystem security plans identify roles and responsibilities, and contain detailed information about\nthe system environment, management controls, operational controls, and technical controls\nneeded to protect the information processed by the system from unauthorized access. Risk\nassessments identify roles and responsibilities, and contain detailed information pertaining to the\nsensitivity and criticality of the system, asset component identification and loss impact, potential\nthreats and vulnerabilities, and evaluation and selection of safeguards to protect the system.\n\nThe system security plans and risk assessments were reviewed by the Office of the Chief\nInformation Officer to ensure compliance with Departmental guidance. In December 2000, each\ndepartmental agency completed development of agency-centric \xe2\x80\x9cCyber Security Program Plans\xe2\x80\x9d\nthat address full implementation requirements outlined within the CIPP and departmental Cyber\nSecurity Program.\n\nThe Department updated its Information Technology (IT) Architecture and included security\nstandards within the Technical Reference Model, of the Information Technology Architecture, in\nMarch 2000.\n\nThe Department established a Systems Development and Life Cycle Management Methodology1\nin July 2000, to provide systematic design, development, and documentation standards for\ninformation technology systems, including the application of security measures throughout a\nsystem\xe2\x80\x99s life cycle. The Department also updated its Computer Security Handbook to provide\nguidance for developing and implementing agency-specific cyber security programs, system\nsecurity plans, contingency plans, vulnerability assessments, incident response and reporting, and\nsecurity awareness and training. The Computer Security Handbook also established the\nDepartment\'s Emergency Incident Response Team.\n\nThe Office of the Chief Information Officer conducted its annual computer security awareness\ntraining for Department of Labor employees in October 2000, and provided specialized\ninformation technology security training for information technology professionals.\n\nBudgetary support for achieving infrastructure improvements and systems protection was\n\n\n1\n    www.dol.gov/dol/cio/public/programs/it/itamain.htm\n\n                                                         3\n\x0cobtained through the Department\'s Information Technology Capital Planning and Management\nprocess. Through this process, departmental information technology security, privacy and related\nrequirements were identified, quantified in terms of cost and benefits, and managed through the\nSystems Development and Life Cycle program. The Department established an integrated multi-\nyear budget, which specifically includes "Security and Privacy," beginning in FY 2001 to ensure\nadequate financial resources are available to strengthen the Department\'s Cyber Security program.\n\nThe Office of the Chief Information Officer is in the process of formulating departmental guidance\nto implement the recently enacted \xe2\x80\x9cGovernment Information Security Reform,\xe2\x80\x9d (P. L. 106-398,\nOctober 30, 2000), and OMB \xe2\x80\x9cGuidance On Implementing the Government Information Security\nReform Act.\xe2\x80\x9d2 Together, implementation of these new initiatives will continue to ensure that\nDOL systems are operated in a way that is secure against threat and loss.\n\n2.      DOL Needs to Fully Implement a Systems Development Life Cycle Methodology\n\nDuring our FY 2000 audit and our continuing review of prior audit issues over the past three\nyears, we have found that changes to the system were not properly controlled. The Department\nhas issued its Systems Development Life Cycle (SDLC) Manual and agencies are updating\nsystems to comply with the manual. However, the general areas where weaknesses were noted\nare:\n\n\xe2\x80\xa2       Program modifications were not properly authorized\n\xe2\x80\xa2       Testing and approval of new and revised software changes were not performed,\n        evidenced, or formally conducted\n\xe2\x80\xa2       Access to software libraries was not strictly controlled\n\xe2\x80\xa2       Critical system documentation was not developed or updated\n\nThe GAO report, GAO/T-AIMD-00-314, states, "Application software development and change\ncontrols prevent unauthorized software programs or modifications to programs from being\nimplemented. Key aspects of such controls are to ensure that (1) software changes are properly\nauthorized by the managers responsible for the agency program or operations that the application\nsupports, (2) new and modified software programs are tested and approved prior to their\nimplementation, and (3) approved software programs are maintained in carefully controlled\nlibraries to protect them from unauthorized changes and to ensure that different versions are not\nmisidentified."\n\n\n\n\n2\n Office of Management and Budget, \xe2\x80\x9cGuidance On Implementing the Government Information Security Reform\nAct,\xe2\x80\x9d M-01-08, January 16, 2001, www.whitehouse.gov/omb/memoranda/m01-08.pdf\n\n                                                   4\n\x0cManagement\xe2\x80\x99s Response:\n\nThe Department\xe2\x80\x99s Systems Development and Life Cycle (SDLC) Management Manual, was\nissued in July 2000. The SDLC serves as the mechanism to assure that developing, modifying, or\nenhancing systems meet established user requirements and support DOL critical success factors.\nIt sets forth a standard and logical process for managing IT system development activities and\nacquisition approvals that are controlled, measured, documented, and ultimately improved while\nresponding to Federal guidance and regulations. The SDLC represents a seven-phase structured\napproach to developing and managing IT projects from the initial concept to disposition\n(retirement). The concepts presented are the foundation for the life cycle management approach\nadopted by the DOL to improve the quality of their information technology systems.\n\nThe concepts included within the SDLC address strategic planning, business process\nreengineering, roles and responsibilities, and provide a detailed description of each life cycle phase\nand the corresponding documentation produced as a result of completing each phase. The seven\nphases each system would progress through are conceptual planning, planning and requirements\ndefinition, design, development and testing, implementation, operations and maintenance, and\nfinally, the disposition phase used to retire legacy systems. As noted by the Office of the\nInspector General, the Department is in the process of fully implementing the SDLC.\nImplementation of the SDLC will ensure program modifications are authorized, testing and\napproval of new and revised software changes are performed, access to software libraries are\ncontrolled, and critical system documentation is developed or updated.\n\n3.     DOL Needs to Complete and Fully Test Its Plan(s) for Maintaining Continuity of\n       Operations\n\nDuring our FY 2000 audit and our continuing review of prior audit issues over the past three\nyears, we have found that the Department has several weaknesses that would impair the\nDepartment\xe2\x80\x99s ability to effectively respond to a disruption in business operations as a result of a\ndisaster or another event causing an extended service interruption. The Department issued\nguidance to address service continuity in its Computer Security Handbook. However, the general\nareas where weaknesses were noted are:\n\n\xe2\x80\xa2      Risks assessments have not been finalized that identify critical operations and resources\n       (people, hardware, software, data, etc.).\n\xe2\x80\xa2      Alternate data processing and telecommunications facilities have not been identified for all\n       the critical financial systems reviewed.\n\xe2\x80\xa2      Agencies are in the process of drafting or revising contingency plans; however,\n       contingency plans have an "IT" focus and do not fully take into account the business\n       operations activities.\n\n\n\n\n                                                  5\n\x0cThe GAO report, GAO/T-AIMD-00-314 states, "Service continuity controls ensure that when\nunexpected events occur, critical operations will continue without undue interruption and crucial,\nsensitive data are protected. For this reason, an agency should have (1) procedures in place to\nprotect information resources and minimize the risk of unplanned interruptions and (2) a plan to\nrecover critical operations should interruptions occur. These plans should consider the activities\nperformed at general support facilities, such as data processing centers, as well as the activities\nperformed by users of specific applications. To determine whether recovery plans will work as\nintended, they should be tested periodically in the disaster simulation exercises."\n\nManagement\xe2\x80\x99s Response:\n\nThe Department has established a multi-year strategy and program management plan for its\nContinuity of Operations (COOP). As articulated in the COOP, the Department must have a\nviable capability that ensures the emergency delegation of authority; safekeeping of vital\nresources, facilities, and records; improvisation or emergency acquisition of the resources\nnecessary for business resumption; capability to perform work at alternate work sites until normal\noperations are resumed; and the ability to be operational at alternate facilities, with or without\nwarning within a specified amount of time after activation.\n\nIn addition to meeting COOP requirements, the Department must have a Continuity of\nGovernment (COG) Plan for discharging its Department\xe2\x80\x99s role in maintaining the integrity of\ncritical constitutional functions of the Government in the event of a threat to national security.\n\nIn response to Federal guidance, the Department completed draft COOP and COG plans and\nsubmitted those plans to the Federal Emergency Management Agency (FEMA) in October 1999.\nThe consolidated FEMA/NSC assessment of Government-wide emergency preparedness, released\nin September 2000, concluded that DOL plans are a good start but work is needed to develop the\ndetailed procedures and training program that will make the plans truly viable. COG details are\nhighly classified, but unclassified versions of the draft COOP and COG plans were provided to the\nOffice of the Inspector General (OIG) for review. However, the OIG request for COOP and\nCOG information did not occur until after completion of the field work for the general controls\nreview of selected financial systems. Therefore, the Department expects this reportable condition\nwill be significantly updated once the OIG has completed its review of the COOP and COG plans\nand associated activities.\n\nIn addition to the over-arching COOP and COG plans, the Departments\xe2\x80\x99 Computer Security\nHandbook, updated in April 2000, provides departmental guidance for developing agency-specific\ncyber security programs and system security plans. As noted above, the Handbook specifically\naddresses contingency planning. The Office of the Chief Information Officer will continue to\nassist agencies with their CIPP and Cyber Security Program Plans to fully implement the\noperation guidance contained within the Computer Security Handbook.\n\n\n\n\n                                                  6\n\x0c                OFFICE OF THE CHIEF FINANCIAL OFFICER (OCFO)\n\nWe tested general controls and security over EDP systems of the OCFO as they pertain to the\nfollowing critical financial applications:\n\n\xe2\x80\xa2      Department of Labor Accounting and Related Systems (DOLAR$)\n\xe2\x80\xa2      Integrated Payroll System (IPS)\n\nGAO\xe2\x80\x99s Federal Information System Controls Audit Manual (FISCAM) was used to guide testing.\nThe scope of testing included the six FISCAM general controls sections: (1) Entitywide Security\nProgram Planning and Management (SP), (2) Access Controls (AC), (3) Application Software\nDevelopment and Change Control (CC), (4) System Software (SS), (5) Segregation of Duties\n(SD), and (6) Service Continuity (SC). In addition, prior year issues reported by management as\nbeing closed during the period under review were also tested using the FISCAM.\n\nThe DOLAR$ and IPS applications reside on a mainframe located at the SunGard Data Center in\nVoorhees, New Jersey; thus, our scope was limited to the EDP controls that are the responsibility\nof OCFO as they relate to the mainframe processing of DOLAR$ and IPS. The following outlines\nthe controls deemed out of scope and were not tested:\n\n\xe2\x80\xa2      Controls that are the responsibility of DOL\xe2\x80\x99s contractor, SunGard. SunGard supports and\n       maintains the mainframe operating system and physical environment used to process and\n       store DOLAR$ and IPS application data. These controls are covered as part of the\n       SunGard SAS 70 review.\n\xe2\x80\xa2      The OASAM Data Center, located at the Frances Perkins Building, in Washington, DC,\n       contains telecommunications equipment used by the OCFO to connect to the SunGard\n       Mainframe. Therefore, issues associated with physical security, data center operations and\n       service continuity are reported in the OASAM section of this report.\n\n1.     DOL Needs to Strengthen Controls to Protect Its Information\n\nCurrent Year Findings and Recommendations\n\na. IDMS Security Parameters And Monitoring\n\nDuring the FY 2000 audit, we found that the OCFO has not implemented adequate logical\ncontrols over the IDMS database for DOLAR$. Specifically, it was found that:\n\n\xe2\x80\xa2      Password parameters are weak:\n       \xe2\x80\xa2     minimum password length is only two characters,\n       \xe2\x80\xa2     users are not required to change their passwords,\n       \xe2\x80\xa2     password history files are not being maintained,\n       \xe2\x80\xa2     special characters are not required to be used when composing passwords, and\n\n\n                                               7\n\x0c       \xe2\x80\xa2       lockout parameters are ineffective to disable an ID after a predetermined number\n               of unsuccessful login attempts.\n\n\xe2\x80\xa2      Monitoring controls are weak:\n       \xe2\x80\xa2     IDMS access violations are not reviewed, and\n       \xe2\x80\xa2     changes to IDMS profiles (adding, modifying and deleting IDMS IDs and access\n             privileges) are not reviewed.\n\nInadequate controls over the establishment of password parameters may lead to the risk of\npasswords being easily guessed allowing an unauthorized user the ability to gain access to systems\nresources. Lacking controls to monitor changes or violations in the system creates a risk that\nimproper or illegal access to the database will go undetected. Establishing such precautions\nmitigates any fraud or misuse of the system by allowing all access to be tracked and properly\nlogged for further analysis and investigation.\n\nThe following criteria were used in reporting this finding:\n\n       \xe2\x80\xa2       NIST Special Publication 800-18, Guide for Developing Security Plans for\n               Information Technology Systems\n       \xe2\x80\xa2       NIST 800-12: An Introduction to Computer Security\n\nRecommendation:\n\nThe following prior year recommendation to the Chief Information Officer and Assistant\nSecretaries pertains to this finding:\n\n\xe2\x80\xa2      ensure agencies are in compliance with the computer security handbook and that the\n       agency SSPs (for its GSS and MAs) contain sufficient policies and procedures\n       governing the authorization, modification, removal, monitoring of access based upon\n       the concept of "least privileged", and the emergency access. In addition, SSPs should\n       include specific technical standards (security settings, critical system configuration,\n       etc.) for each general support system and major application.\n\nManagement\xe2\x80\x99s Response:\n\nThe DOLAR$ SSP will be updated to incorporate these items of concern about passwords and\nhow the OCFO plans to improve on them. The DOLAR$ SSP will also include monitoring\npractices and procedures for user IDS. The OCFO expects to have these items included in the\nDOLAR$ SSP by the end of the second quarter of FY 2001.\n\n\n\n\n                                                 8\n\x0cOIG\xe2\x80\x99s Conclusion:\n\nWe concur with management\xe2\x80\x99s plan to correct this weakness. This recommendation is resolved\nand open pending our review of the corrective actions taken during the FY 2001 audit.\n\nb. Logical Controls to Prevent or Detect Unauthorized Access\n\nDuring the FY 2000 audit, we found that policies and procedures over the authorization,\nmodification, and periodic monitoring of users (end users, contractors, production support, etc.),\nhaving logical access to the IPS environment (application, operating system, databases, utilities,\netc.), require improvement. Specifically, the following weaknesses were identified:\n\n\xe2\x80\xa2      Access had not been revoked or removed from the system 2 of 23 IDS deemed obsolete\n       (e.g., had not been accessed between 60 days and 7 years).\n\xe2\x80\xa2      Multiple IDS\xe2\x80\x99 had been granted to 7 of the 23 users selected for testing.\n\xe2\x80\xa2      Periodic reviews of access privileges are not performed.\n\xe2\x80\xa2      An excessive number of users\xe2\x80\x99 IDS (an estimated 200) were maintained on the system in a\n       \xe2\x80\x9crevoked\xe2\x80\x9d status.\n\xe2\x80\xa2      Consistent password intervals were not being used. Specifically, 3 of the 23 IDS tested\n       did not have their password interval set to 30 days.\n\nWithout clearly defined policies, procedures and assignment for security administration, security\nadministrators may not fully be aware of management\xe2\x80\x99s security objectives and may not be\nconsistently performing the necessary procedures required to provide effective control.\nSpecifically,\n\n\xe2\x80\xa2      Undocumented or out-of-date access request forms may compromise the integrity of the\n       system by granting access that is not consistent with management\xe2\x80\x99s security objectives,\n       authorized intent, or user job responsibilities.\n\xe2\x80\xa2      Inadequate controls over the monitoring and removal of obsolete or inactive IDS from the\n       system increases the risk of unauthorized access to system resources.\n\xe2\x80\xa2      Inadequate monitoring of access violations and changes to user profiles increases the risk\n       that unauthorized attempts to gain access to system resources or unauthorized\n       modification of user access will go undetected.\n\nThis may diminish the integrity and reliability of data and increase the risk of destruction or\ninappropriate disclosure of sensitive data.\n\nThe following criterion was used in reporting this finding:\n\n       \xe2\x80\xa2       NIST Special Publication 800-14, Generally Accepted Principles and Practices\n               for Securing Information Technology Systems\n\n\n\n                                                  9\n\x0cRecommendation:\n\nThe following prior year recommendation to the Chief Information Officer and Assistant\nSecretaries pertains to this finding:\n\n\xe2\x80\xa2      ensure that agencies are in compliance with the computer security handbook and that\n       the agency SSPs (for its GSS and MAs) contain sufficient polices and procedures\n       governing the authorization, modification, removal, monitoring of access based upon\n       the concept of "least privileged,\xe2\x80\x9d and emergency access. A recertification should be\n       conducted of all IDS on the system, the business need documented, password interval\n       adjusted appropriately, obsolete and/or revoked IDS removed, and a unique (single) ID\n       assigned to each user.\n\nManagement\xe2\x80\x99s Response:\n\n\xe2\x80\xa2      Inactive IDS of the last few users for which obsolete data was on record have been\n       removed from all systems. The SSPs will include the appropriate guidelines for\n       monitoring and managing revoked and removed access privileges.\n\xe2\x80\xa2      The OCFO SSPs will include guidelines for issuing multiple user ids to individual users.\n\xe2\x80\xa2      The OCFO SSPs will include the schedule for periodic reviews of access privileges.\n\xe2\x80\xa2      The SSPs will include the appropriate guidelines for monitoring and managing revoked\n       and removed access privileges.\n\xe2\x80\xa2      The OCFO has completed the recertification of DOLAR$ and IPS users and now has\n       comparable data on user and access authority on file. The SSPs will include the\n       appropriate forms and guidelines for maintenance of these forms.\n\xe2\x80\xa2      The OCFO SSPs will include guidelines for password interval conventions.\n\nOIG\xe2\x80\x99s Conclusion:\n\nWe concur with management\xe2\x80\x99s actions and plans to correct these weaknesses. This\nrecommendation is resolved and open pending our review of the corrective actions taken during\nthe FY 2001 audit.\n\nStatus of Prior Year Findings and Recommendations\n\nRisk Assessment\n\nDuring our FY 1998 audit (OIG Report No. 12-99-002-13-001), we found the OCFO developed\na risk assessment as part of the Y2K preparedness strategy. However, the risk assessment does\nnot consider data sensitivity and integrity, the range of risks to the entity\xe2\x80\x99s systems and data, and\nresource classifications for the OCFO\'s systems (DOLAR$ and IPS). In addition, the issue could\n\n\n\n\n                                                 10\n\x0cnot be fully considered resolved until the CIO implements the SSP as noted in the OIG\xe2\x80\x99s FY 98\nrecommendation. We made the following recommendation to the Chief Information Officer and\nAssistant Secretaries:\n\n\xe2\x80\xa2       ensure entitywide security programs are developed, documented and implemented for\n        all departmental systems. The programs should include an up-to-date security plan,\n        risk assessments, security management structure, and access monitoring.\n\nDuring our FY 2000 audit, we found that the OCFO has performed a Vulnerability\nAssessment/Risk Analysis for DOLAR$ on August 14, 2000, entitled \xe2\x80\x9cFinal Report - DOLAR$\nRisk Assessment,\xe2\x80\x9d using the guidance provided by The Vulnerability Assessment Methodology\nGuide that has been included as Appendix B of the Computer Security Handbook, and the\nRiskWatch software. The IPS Risk Assessment, though not fully completed during the period\nunder review, was under final approval by the OCFO. The IPS Risk Assessment is being created\nfollowing the same methodology as DOLAR$. Management plans to address resource\nclassification (e.g., Integrity, Availability, and Confidentiality) in their Security Plans which will be\ncomplete in the 1st quarter of FY 2001. Therefore, this recommendation is resolved and open.\nClosure is dependent on our review of the IPS Risk Assessment.\n\nManagement\xe2\x80\x99s Response:\n\nThe report correctly notes the status of SSPs as of the end of the fiscal year. Subsequent to that\ndate, the OCFO formally submitted the SSP for DOLAR$, including the formal risk assessments,\nby the end of the first quarter, has to-date received two cycles of CIO-recommended clarifications\nto that plan, and will resubmit the next version to the CIO by the end of the second quarter. The\nIPS-related material has been submitted to the CIO and we are waiting for the CIO\xe2\x80\x99s response.\nPending receipt and evaluation of the CIO\xe2\x80\x99s response, we expect to have the final round of\nsubmissions for IPS by the end of the third quarter.\n\nOIG\xe2\x80\x99s Conclusion:\n\nThis recommendation remains resolved and open pending our review of the corrective actions\ntaken during the FY 2001 audit.\n\nEntitywide Security Program Plan\n\nDuring our FYs 1998 and 1999 audits (OIG Report No. 12-99-002-13-001 and 12-98-002-13-\n001), we found the security plans for the OCFO were currently in draft and management was still\nin the process of finalizing the document. In addition, a policy was not in place requiring the plan\nto be updated periodically, when the systems environment changes, a security incident occurs, etc.\nWe made the following recommendations to the Chief Information Officer and Assistant\nSecretaries:\n\n\n\n                                                   11\n\x0c\xe2\x80\xa2      ensure entitywide security programs are developed, documented and implemented for\n       all departmental systems. The programs should include an up-to-date security plan,\n       risk assessments, security management structure, access monitoring, and\n\xe2\x80\xa2      ensure computer security plans are developed and implemented for all departmental\n       systems.\n\nDuring our FY 2000 audit, we found that the DOLAR$ and IPS System Security Plan (SSP) are\ncurrently being developed using guidance from the Department of Labor Computer Security\nHandbook. According to management, completion of the DOLAR$ SSP is expected by the 1st\nQuarter of FY 2001. Therefore, these recommendations are resolved and open. Closure is\ndependent on our review of the DOLAR$ and IPS System Security Plan.\n\nManagement\xe2\x80\x99s Response:\n\nAs previously noted, the OCFO expects to issue its final DOLAR$ SSP by the end of the second\nquarter and the IPS SSP by the end of the third quarter. We expect to complete the entitywide\nOCFO security plan by the end of the first quarter of FY 2002.\n\nOIG\xe2\x80\x99s Conclusion:\n\nThese recommendations remain resolved and open pending our review of the corrective actions\ntaken during the FY 2001 and the FY 2002 audits.\n\nSecurity Management Structure and Security Responsibilities\n\nDuring our FY 1998 audit (OIG Report No. 12-99-002-13-001), we found that an independent\ngroup responsible for security administration had not been established within the OCFO. We also\nfound that there is no overall system security manager for DOLAR$. We made the following\nrecommendation to the Chief Information Officer and Assistant Secretaries:\n\n\xe2\x80\xa2      ensure entitywide security programs are developed, documented and implemented for\n       all departmental systems. The programs should include an up-to-date security plan,\n       risk assessments, security management structure, access monitoring.\n\nDuring our FY 2000 audit, we found that the DOLAR$ and IPS SSPs will include a security\nmanagement structure that clearly assigns security responsibilities over its systems and various\nprograms. DOLAR$ has a formal Application Security Manager; OCFO has a designated overall\nSystem Security Administrator. The DOLAR$ SSP is currently being developed using guidance\nfrom the Department of Labor Computer Security Handbook. Completion of the DOLAR$ SSP\nis expected by the 1st Quarter of FY 2001. Therefore, this recommendation is resolved and\nopen. Closure is dependent on our review of the DOLAR$ and IPS System Security Plans.\n\n\n\n\n                                               12\n\x0cManagement\xe2\x80\x99s Response:\n\nThe OCFO has been establishing a formal systems security infrastructure featuring an overall\nagency security official and clearly delineating individual roles and responsibilities across the\nentire organization. The infrastructure will meet or exceed all DOL-published security standards.\nTarget date for completion is the end of FY 2001.\n\nOIG\xe2\x80\x99s Conclusion:\n\nThis recommendation remains resolved and open pending our review of the corrective actions\ntaken during the FY 2001 audit.\n\nSecurity-Related Personnel Policies\n\nDuring our FYs 1998 and 1999 audits, (OIG Report No. 12-99-002-13-001 and 12-00-002-13-\n001), we found that the OCFO needed to improve the effectiveness of its security controls related\nto personnel policies and procedures. We made the following recommendations to the Chief\nInformation Officer and Assistant Secretaries:\n\n\xe2\x80\xa2      ensure that employees are required to attend training and maintain the appropriate\n       documentation (e.g., lists of employees as of the training course date, attendance sheet\n       of employees taking the course, topics, agendas, handouts, etc., provided during the\n       program), and\n\xe2\x80\xa2      ensure that background checks are conducted for all Government employees and\n       contractor management personnel with high levels of system access.\n\nDuring our FY 2000 audit, we found the following:\n\n\xe2\x80\xa2      The OCFO has completed the sensitivity level assessment of positions to determine if they\n       are of High, Moderate or Low risk, to ensure that individuals have the appropriate\n       background screening.\n\xe2\x80\xa2      Clearances are currently being processed for personnel identified.\n\xe2\x80\xa2      According to Management, 5-year reinvestigation will be scheduled, as necessary.\n       Therefore, all reinvestigation have not been completed or are in progress.\n\xe2\x80\xa2      The OCIO provides annual and refresher security awareness training to all employees.\n       Most recently, the CIO\xe2\x80\x99s memorandum entitled Computer Security Awareness Video,\n       dated December 16, 1999, was released disseminating copies of the video "Safe Data: It\xe2\x80\x99s\n       Your Job" to all agencies. According to Management, viewing of this video satisfies the\n       OMB Circular A-130 requirement to provide security awareness training to all employees\n       on a regular basis. Records documenting employees\xe2\x80\x99 attendance were not available for\n       review to evidence that OCFO employees attended this training.\n\xe2\x80\xa2      According to Management, Confidentiality Agreements will be signed, as necessary.\n       Therefore, all Confidentiality Agreements have not been complete or are in progress.\n\n\n                                               13\n\x0c\xe2\x80\xa2      According to Management, Position Descriptions (PDs) will be updated, as necessary.\n       Several PDs\xe2\x80\x99 descriptions were reviewed as part of the audit and noted that new\n       descriptions had been created for some positions. However, others were not updated.\n       Therefore, management is still in the process of ensuring that outdated PDs are updated.\n\nThese recommendations are resolved and open. Closure is dependent on our review of the\nOCFO\xe2\x80\x99s security controls related to personnel policies and procedures for the FY 2001 financial\nstatement audit.\n\nManagement\xe2\x80\x99s Response:\n\n\xe2\x80\xa2      The OCFO has targeted the end of FY 2001 to initiate all critical background\n       investigations. The positions that require background investigations will be incorporated\n       into the appropriate SSPs.\n\xe2\x80\xa2      The OCFO SSPs, all of which expect to be completed by the end of FY 2001, will include\n       the periodic reinvestigation schedules.\n\xe2\x80\xa2      The OCFO entitywide SSP, due by the end of the first quarter of FY 2002, will include the\n       OCFO security awareness and training program.\n\xe2\x80\xa2      The OCFO SSPs, all of which expect to be completed by the end of FY 2001, will include\n       the requirements of confidentiality agreements with contractors. The OCFO has already\n       begun this practice with their two major support contract companies.\n\xe2\x80\xa2      The OCFO has targeted the end of FY 2001 to complete all critical position description\n       changes.\n\nOIG\xe2\x80\x99s Conclusion:\n\nThese recommendations remain resolved and open pending our review of the corrective actions\ntaken during the FY 2001 and FY 2002 audits.\n\nAccreditation and Security Reviews\n\nDuring our FY 1998 and FY 1999 audits (OIG Report No. reports 12-99-003-13-001 and 12-00-\n003-001), we found that the OCFO had not periodically assessed the appropriateness of security\npolicies and compliance with them. Specifically, we found that DOLAR$ and IPS:\n\n\xe2\x80\xa2      have not been authorized or accredited by the system manager whose mission is supported\n       by the application, and\n\xe2\x80\xa2      have not undergone an independent applications review or audit in the last 3 years.\n\nWe made the following recommendations to the Chief Information Officer and Assistant\nSecretaries:\n\n\n\n\n                                               14\n\x0c\xe2\x80\xa2      ensure that agencies are in compliance with the security handbook by verifying that all\n       financially significant applications support systems have been properly accredited and\n       that independent functional reviews are conducted at least every 3 years, and\n\xe2\x80\xa2      ensure that all departmental systems are accredited by the program management.\n\nDuring our FY 2000 audit, we found that the DOLAR$ SSP is expected to be implemented\nduring the 1st quarter of FY 2001 and will include the authorizing and accrediting of the DOLAR$\nsystem. Management presented two reviews of the DOLAR$ application. Anderson Consulting,\nInc. (October 23, 1997), and Troy Systems, Inc. (September 30, 1998), conducted the reviews.\nThe scope of the reviews only covered assessing and making recommendations surrounding the\nsecurity policies and procedures of the DOLAR$ outdated security plan. Management is in the\nprocess of addressing the recommendations made in these reviews as it completes the DOLAR$\nSSP. DOLAR$ has not undergone an independent application controls review or audit.\nTherefore, these recommendations are resolved and open. Closure is dependent upon our\nreview of a current independent application controls review or audit for DOLAR$ and IPS.\n\nManagement\xe2\x80\x99s Response:\n\nDOLAR$ and IPS SSPs, as discussed earlier, will include the date of authorization and name and\ntitle of the management official authorizing processing, by the end of FY 2001. Based on\ndiscussion following last year\xe2\x80\x99s audit, the OCFO committed to obtaining an independent review of\nthe accounting and payroll systems operations. These reviews are expected to begin by the end of\nFY 2001.\n\nOIG\xe2\x80\x99s Conclusion:\n\nThese recommendations remain resolved and open pending our review of the corrective actions\ntaken during the FY 2001 and FY 2002 audits.\n\nLogical Controls to Prevent or Detect Unauthorized Access\n\nDuring our FY 1998 and FY 1999 audits (OIG Report No. 12-99-003-13-001 and 12-00-003-\n001), we found that policies and procedures over the authorization, modification, and periodic\nmonitoring of users (end users, contractors, production support, etc.), having logical access to the\nDOLAR$ environment (application, operating system, databases, utilities, etc.), required\nimprovement. We made the following recommendations to the Chief Information Officer and\nAssistant Secretaries:\n\n\xe2\x80\xa2      ensure that agencies are in compliance with the computer security handbook and that\n       the agency SSPs (for its GSS and MAs) contain sufficient polices and procedures\n       governing the authorization, modification, removal, monitoring of access based upon\n       the concept of "least privileged," and the emergency access. A recertification should\n       be conducted of all IDS on the system and the business need documented. In addition,\n\n\n                                                15\n\x0c       IDS that have been granted access to production programs and data (outside of the\n       application) should be restricted from this level of access, and\n\xe2\x80\xa2      ensure all departmental Computer Security Plans have polices and procedures for user\n       access, physical access, and monitoring of sensitive and critical resource access.\n\nDuring our FY 2000 audit, we found that the DOLAR$ user community is relatively small and\nresponsibility for requesting and deleting access has been with the Department\xe2\x80\x99s finance offices.\nThe Office of Accounting and Payment Services (OAPS) recently implemented a periodic\nrecertification process that includes a comparison between a user\xe2\x80\x99s actual access level and a user\xe2\x80\x99s\ngranted access level. Additionally, there are updates made periodically because of changes within\nthe staff. The changes within the staff bring about changes in user duties, which cause\nmodification in user access level, whether it may be temporary or permanent.\n\nThe OCFO recognizes the need to institutionalize the process of continually reviewing DOLAR$\nusers to ensure they have a business need to access DOLAR$. The OCFO will issue and\nimplement policies and procedures to:\n\n\xe2\x80\xa2      require that all current users, including those with read only access, complete and that\n       supervisors approve a new form requesting access to DOLAR$;\n\xe2\x80\xa2      require on a 3-year cyclical basis beginning with FY 2001 that all users complete and that\n       supervisors approve a new form requesting DOLAR$ access;\n\xe2\x80\xa2      require that all obsolete user IDS are removed from DOLAR$;\n\xe2\x80\xa2      control the use of multiple IDS granted to individual users;\n\xe2\x80\xa2      evaluate on a continuing basis the level of access to DOLAR$; and\n\xe2\x80\xa2      establish criteria for removing revoked IDS from the system.\n\nThese recommendations are resolved and open. Closure is dependent upon our review of the\nnew OCFO policies and procedures to control access to DOLAR$.\n\nManagement\xe2\x80\x99s Response:\n\n\xe2\x80\xa2      The OCFO has completed the recertification of DOLAR$ and IPS users and now has\n       comparable data on user and access authority on file. The SSPs will include the\n       appropriate forms and guidelines for maintenance of these forms.\n\xe2\x80\xa2      Inactive IDS of the last few users for which obsolete data was on record have been\n       removed from all systems. The SSPs will include the appropriate guidelines for monitoring\n       and managing revoked and removed access privileges.\n\xe2\x80\xa2      The OCFO SSPs will include guidelines for issuing multiple user ids to individual users.\n\xe2\x80\xa2      The OCFO SSPs will include the schedule for periodic reviews of access privileges.\n\xe2\x80\xa2      The SSPs will include the appropriate guidelines for monitoring and managing revoked\n       and removed access privileges.\n\n\n\n\n                                                16\n\x0cOIG\xe2\x80\x99s Conclusion:\n\nThese recommendations remain resolved and open pending our review of the corrective actions\ntaken during the FY 2001 audit.\n\nAccess Monitoring and Security Violations\n\nDuring our FY 1999 audit (OIG Report No. 12-00-003-001), we found that the OCFO\xe2\x80\x99s security\nmonitoring controls over the mainframe platform required improvement. We made the following\nrecommendation to the Chief Information Officer and Assistant Secretaries:\n\n\xe2\x80\xa2      ensure that agencies are in compliance with the computer security handbook and that\n       agency SSPs (for its GSS and MAs) include appropriate policies and procedures for\n       the monitoring of inappropriate or unusual activity occurring on the system. Policies\n       and procedures should include, but are not limited to management\'s determination of\n       what constitutes a violation of the policy, the frequency of reviews, reporting and\n       escalation processes, and maintenance of documentation (manual or automated) for\n       audit trail purposes, etc.\n\nDuring our FY 2000 audit, we found that OCFO management was committed to ensuring that the\nDOLAR$ (and IPS) SSPs will include appropriate policies and procedures for the monitoring of\ninappropriate or unusual activity occurring on the system. Policies and procedures will include\nmanagement determination of what should be recorded on logs and what constitutes a violation of\nthe policy, frequency of reviews, reporting and escalation processes, and maintenance of\ndocumentation (manual or automated) for audit trail purposes, etc. During our review, we found\na first draft of these procedures. Therefore, this recommendation is resolved and open. Closure\nis dependent upon our review of the final OCFO procedures.\n\nManagement\xe2\x80\x99s Response:\n\nThe OCFO SSPs, both of which expect to be completed by the end of FY 2001, will include\nappropriate policies and procedures for the monitoring of activity and security related reports.\n\nOIG\xe2\x80\x99s Conclusion:\n\nThis recommendation remains resolved and open pending our review of the corrective actions\ntaken during the FY 2001 audit.\n\n\n\n\n                                                17\n\x0c2.     DOL Needs to Fully Implement a Systems Development Life Cycle Methodology\n\nCurrent Year Findings and Recommendations\n\na. Change Control Policies and Procedures\n\nDuring our FY 2000 audit of the IPS change control methodology and procedures, we found\nseveral weaknesses:\n\n\xe2\x80\xa2      IPSs change management methodology needs to be enhanced to comply with the U.S.\n       Department of Labor\xe2\x80\x99s Systems Development and Life Cycle Manual.\n\xe2\x80\xa2      There is no evidence of appropriate authorization methods for software modifications\n       within the IPS system.\n\xe2\x80\xa2      There is no evidence of test plan standards and proper reviews of test results\n       corresponding to changes in the IPS system software.\n\nWithout controls over the modification of application software programs and the movement of\nprograms and data among libraries, IPS runs the risk of unauthorized program and data changes.\nFor example, improper changes could be incorporated into the program, causing processing\nirregularities, hampering further system development at a future time or causing security features\nto become inoperable.\n\nThe following criteria were used in reporting this finding:\n\n       \xe2\x80\xa2       OMB Circular A-130, Appendix III, Security of Federal Automated Information\n               Resources\n       \xe2\x80\xa2       NIST Special Publication 800-18, Guide for Developing Security Plans for\n               Information Technology Systems\n\nRecommendation:\n\nThe following prior year recommendation to the Chief Information Officer and Assistant\nSecretaries pertains to this finding:\n\n\xe2\x80\xa2      ensure the SDLC process is followed by all DOL and contractor personnel who are\n       developing, acquiring, or managing systems or making enhancements to existing\n       systems.\n\nManagement\xe2\x80\x99s Response:\n\nIPS uses an application migration management system which does, in fact, indicate the who, what,\nand when of any change. The OCFO has updated documentation of the change control process in\nIPS. Change Control Request/Authorization numbers are now embedded in the comments of all\n\n\n                                                 18\n\x0ccode modifications, providing an audit trail of the process from the authorizing official\xe2\x80\x99s request\nthrough to the migration of software from the test environment to the production environment.\n\nThe test environment provides ample means for programmers to test their code modifications\nagainst parallel data. Test results are reviewed for approval by the application team leader before\nbeing passed to the Division Chief for final approval and migration. The OCFO believes that this\nfinding can be closed in FY 2001.\n\nOIG\xe2\x80\x99s Conclusion:\n\nWe concur with management\xe2\x80\x99s actions and plans to correct these weaknesses. This\nrecommendation is resolved and open pending our review of the corrective actions taken during\nthe FY 2001 audit to ensure compliance with the Department\xe2\x80\x99s SDLC.\n\nb. Critical Documentation\n\nDuring our FY 2000 audit, we found that the OCFO has not updated or does not have application\ndocumentation for its critical systems (DOLAR$ and IPS) such as user manuals, maintenance\nmanuals, operational manuals, etc., to reflect the systems\xe2\x80\x99 current operating environment. For\nexample:\n\n\xe2\x80\xa2      The DOLAR$ User Manual has not been updated since 1987.\n\xe2\x80\xa2      Documented procedures for using \xe2\x80\x9cEasytrieve\xe2\x80\x9d to generate critical financial reports do not\n       exist.\n\nIn the absence of adequate application instruction manuals, transactions can be incorrectly\nprocessed. Without instructions detailing the application\xe2\x80\x99s operation and security features, a user\nwithout adequate knowledge will have difficulty utilizing the application, increasing the risk of\ncorrupting critical/sensitive data. Users could inadvertently grant inappropriate access and/or\nperform security violations. In the event that proficient users are unavailable, the agency may not\nbe able to effectively operate the application or generate critical reports.\n\nThe following criteria were used in reporting this finding:\n\n       \xe2\x80\xa2       The Systems Development and Life Cycle Manual, Version 2.0\n       \xe2\x80\xa2       OMB Circular A-130, Appendix III, Security of Federal Automated Information\n               Resources\n       \xe2\x80\xa2       NIST Special Publication 800-18, Guide for Developing Security Plans for\n               Information Technology Systems\n\n\n\n\n                                                 19\n\x0cRecommendation:\n\nThe following prior year recommendation to the Chief Information Officer and Assistant\nSecretaries pertains to this finding:\n\n\xe2\x80\xa2      ensure the SDLC process is followed by all DOL and contractor personnel who are\n       developing, acquiring, or managing systems or making enhancements to existing\n       systems. The SDLC Manual includes requirements for developing and periodically\n       updating user manuals, maintenance manuals, operational manuals, system\n       administrators manuals, etc.\n\nManagement\xe2\x80\x99s Response:\n\nOCFO is in the process of developing a computer based training (CBT) product for DOLAR$.\nThe first phase delivery is expected in July 2001. OCFO plans to expand the use and content of\nthis tool to eventually provide full end user documentation and training for DOLAR$. OCFO has\ncompleted the basic system documentation for both DOLAR$ and IPS and continues to\nupgrade/update them (job controls, run books, scheduling, requirements and data dictionaries).\nEven though the IPS users\xe2\x80\x99 manual has not been upgraded since 1987, very little has changed\nfrom the end user point of view, and for those items that have been modified or enhanced, OCFO\nhas communicated these modifications to the users and has issued user instructions. By the end of\nFY 2001 OCFO will evaluate the cost/benefit of updating the current IPS user manuals or waiting\nuntil the new payroll application, which will have substantial user documentation, is released in\nFY 2002 . Note: Easytrieve is not currently in production control.\n\nOIG\xe2\x80\x99s Conclusion:\n\nWe concur with management\xe2\x80\x99s actions and plans to correct these weaknesses. This\nrecommendation is resolved and open pending our review of the corrective actions taken during\nthe FY 2001 audit to ensure compliance with the Department\xe2\x80\x99s SDLC.\n\n\nStatus of Prior Year Findings and Recommendations\n\nChange Control Policies and Procedures\n\nDuring our FY 1998 and FY 1999 audits (OIG Report No. 12-00-003-13-001 and 12-99-003-\n001), we found that DOLAR$ did not have up-to-date change control policies and procedures.\nWe made the following recommendations to the Chief Information Officer and Assistant\nSecretaries:\n\n\n\n\n                                               20\n\x0c\xe2\x80\xa2      ensure the SDLC process is followed by all DOL and contractor personnel who are\n       developing, acquiring, or managing systems or making enhancements to existing\n       systems, and\n\xe2\x80\xa2      ensure that the application change control policies and procedures are developed and\n       implemented for all departmental systems, including procedures to implement an\n       automated tool for application version control where applicable.\n\nDuring our FY 2000 audit, we found that OCFO management identified the need to update its\nSDLC practices, however, it was waiting for the CIO\'s Systems Development Life Cycle Manual.\nThe CIO\'s SDLC manual was issued. Prior to the SDLC\'s issuance, the OCFO anticipated several\nchanges through review of the draft CIO\'s SDLC manual and began to implement new procedures\nthat included:\n\n\xe2\x80\xa2      formalizing approvals of changes,\n\xe2\x80\xa2      using flow charts to document the change cycle,\n\xe2\x80\xa2      using logs to track all changes, and\n\xe2\x80\xa2      looking at formalizing testing procedures for changes made to the system, etc.\n\nThese recommendations are resolved and open. Closure is dependent on our review of the\nOCFO updated SDLC practices.\n\nManagement\xe2\x80\x99s Response:\n\nThe finding correctly notes the status of the finding and the changes implemented.\n\n\xe2\x80\xa2      During FY 2001, OCFO has begun to document source code change information in the\n       modules themselves, thus assisting in our configuration management. As time permits,\n       OCFO is further codifying prior year changes where there might be inconsistencies in the\n       migration materials for DOLAR$. The OCFO believes this finding can now be closed.\n\xe2\x80\xa2      The DOLAR$ SSP contains the policies and procedures for the change control process.\n       The OCFO believes this finding can now be closed.\n\nOIG\xe2\x80\x99s Conclusion:\n\nThese recommendations remain resolved and open pending our review of the corrective actions\ntaken during the FY 2001 audit to ensure compliance with the Department\xe2\x80\x99s SDLC.\n\n\n\n\n                                               21\n\x0c3.     DOL Needs to Complete and Fully Test Its Plan(s) for Maintaining Continuity of\n       Operations\n\nCurrent Year Finding and Recommendation\n\na. Disaster Recovery Plan\n\nDuring our FY 2000 audit, we found that the OCFO\xe2\x80\x99s \xe2\x80\x9cBusiness Continuity Plan,\xe2\x80\x9d dated\nDecember 1999 is too narrow in scope (addresses Y2K scenarios) and does not sufficiently\naddress all critical objectives for a contingency plan as defined in the CIO\'s CSHB Attachment C-\nContingency Planning Methodology Guide. By not having a comprehensive contingency plan that\nhas been formally approved, documented in sufficient detail, and adequately tested, DOLAR$ may\nnot be able to adequately recover from an extended service interruption. The inability to recover\nin the event of a disaster or extended service interruption may result in the loss of data.\n\nThe following criteria were used in reporting this finding:\n\n       \xe2\x80\xa2       DOL Computer Security Handbook\n       \xe2\x80\xa2       OMB Circular A-130, Appendix III, Security of Federal Automated Information\n               Resources\n       \xe2\x80\xa2       NIST Special Publication 800-18, Guide for Developing Security Plans for\n               Information Technology Systems\n       \xe2\x80\xa2       FIPS Pub. No. 87, Guidelines for ADP Contingency Planning\n\nRecommendation:\n\nThe following prior year recommendation to the Chief Information Officer and Assistant\nSecretaries pertains to this finding:\n\n\xe2\x80\xa2      ensure agencies are in compliance with the computer security handbook by ensuring\n       each agency develops the required contingency plan. In addition, agencies should\n       ensure that: arrangements have been made for an alternate processing facility; plans\n       are stored at the off-site storage facility; plans include sufficient guidelines for\n       developing roles, responsibilities and recovery instructions, training primary and back-\n       up personnel, and frequency of updates, testing, etc.\n\nManagement\xe2\x80\x99s Response:\n\nThe OCFO has been working to comply with all the requirements for appropriate documentation.\nGiven the commitment to address security documentation first, the OCFO will address the\nupdates of its business continuity and contingency planning during the later part of FY 2001.\nOCFO expects to have the appropriate documentation in place by the end of FY 2001.\n\n\n\n                                                 22\n\x0cOIG\xe2\x80\x99s Conclusion:\n\nWe concur with management\xe2\x80\x99s actions and plans to correct these weaknesses. This\nrecommendation is resolved and open pending our review of the corrective actions taken during\nthe FY 2001 audit.\n\nStatus of Prior Year Findings and Recommendations\n\nDisaster Recovery Plan\n\nDuring our FY 1998 and FY 1995 audits (OIG Report No. 12-98-003-13-001 and 12-96-003-\n001), we found that the DOLAR$ Disaster Recovery/Business Continuity Plan did not have a\ncomplete inventory listing of items such as computer hardware, software, and telecommunications\nneeded for operations. We made the following recommendations to the Chief Information Officer\nand Assistant Secretaries:\n\n\xe2\x80\xa2      ensure written disaster recovery plans are developed where needed, and\n\xe2\x80\xa2      ensure each agency develops the required contingency plan. In addition, the CIO\n       should ensure that appropriate test plans (full and partial) are conducted on a periodic\n       basis.\n\nDuring our FY 2000 audit, we found that access to DOLAR$ is through the ECN and if the ECN\nbecomes inoperable, DOLAR$ would rely on the mechanism used by the ECN in this case. The\nOCFO will include as part of its disaster plan, those portions of the ECN disaster recovery plan\nwhich DOLAR$ would rely on if the ECN became inoperable.\n\nIn addition, management stated the DOLAR$ application resides on a contracted mainframe\nsystem that was just recently accredited in February 2000 as meeting the security requirements of\nOMB Circular A-130. As confirmed by the contractor (SunGard), the disaster recovery services\ninclude user access. Based upon the information provided by management, the OCFO will\ninclude an inventory of items such as computer hardware, software, and telecommunications\nneeded for operations as it continues its efforts to develop its disaster plan. Therefore, these\nrecommendations are resolved and open. Closure is dependent on our review of the DOLAR$\nrevised disaster recovery plan.\n\nManagement\xe2\x80\x99s Response:\n\nThe OCFO is working with the CIO to establish the cross-referencing materials to conform their\nrespective disaster recovery plans and manuals, and keep inventories up to date. In addition, the\ncontinuity plans will also be cross-referenced in the DOLAR$ systems documentation. All\nupdates should be completed by the end of FY 2001.\n\n\n\n\n                                                23\n\x0cOIG\xe2\x80\x99s Conclusion:\n\nThese recommendations remain resolved and open pending our review of the corrective actions\nduring the FY 2001 audit.\n\n\n\n\n                                             24\n\x0c                EMPLOYMENT STANDARDS ADMINISTRATION (ESA)\n\nWe tested general controls and security over EDP systems of the ESA as they pertain to the\nfollowing critical financial applications:\n\n\xe2\x80\xa2      Federal Employees\xe2\x80\x99 Compensation System (FECS)\n\xe2\x80\xa2      Backwage Collection and Disbursement System (BCDS)\n\xe2\x80\xa2      Civil Monetary Penalties System (CMP)\n\xe2\x80\xa2      Longshore System (LS)\n\xe2\x80\xa2      Automated Support Package (ASP)\n\nGAO\xe2\x80\x99s Federal Information System Controls Audit Manual (FISCAM) was used to guide testing.\nThe scope of testing included two FISCAM general controls sections: (1) Entitywide Security\nProgram Planning and Management (SP) and (2) Access Controls (AC). In addition, prior year\nissues reported by management as being closed during the period under review were also tested\nusing the FISCAM. We followed up on prior year findings from two other FISCAM general\ncontrols sections: (1) Application Software Development and Change Control (CC) and (2)\nService Continuity (SC).\n\nThe BCDS and CMP applications both reside on the same production server located in the ESA\nData Center; thus, we tested the EDP controls over that server. The LS application resides on the\ndifferent server also located in the ESA Data Center; thus, we tested the EDP controls over that\nserver as well. Because the three financial applications reside on servers located in the ESA Data\nCenter and access to these servers are the responsibility of ESA\xe2\x80\x99s Division of Information\nTechnology Management and Services (DITMS), we tested the access control policies and\nprocedures of DITMS, focusing on the three applications mentioned above.\n\nThe FECS application resides on a mainframe located at the SunGard Data Center ; thus, our\nscope was limited to the EDP controls that are the responsibility of ESA as they relate to the\nmainframe processing of FECS. The following outlines the controls deemed out of scope and\nwere not tested:\n\n\xe2\x80\xa2      Controls that are the responsibility of DOL\xe2\x80\x99s contractor, SunGard. SunGard supports and\n       maintains the mainframe operating system and physical environment used to process and\n       store FECS application data. These controls are covered as part of the SunGard SAS 70\n       review.\n\xe2\x80\xa2      Controls associated with the Unix environments running the client server portion of FECS.\n       Unix is the platform used as a Front End Processor (FEP) that initially processes and\n       transmits FECS information from the 13 district offices to the SunGard mainframe.\n\n\n\n\n                                                25\n\x0cThe ASP application resides on a mainframe located at the Computer Science Corporation (CSC)\nData Center; thus, our scope was limited to the EDP controls that are the responsibility of ESA as\nthey relate to the mainframe processing of ASP. The following outlines the controls deemed out\nof scope and were not tested:\n\n\xe2\x80\xa2      Controls that are the responsibility of DOL\xe2\x80\x99s contractor, CSC. CSC supports and\n       maintains the mainframe operating system and physical environment used to process and\n       store ASP application data. These controls are covered as part of the CSC SAS 70\n       review.\n\n\xe2\x80\xa2      Controls associated with the Division of Coal Mine Workers\xe2\x80\x99 Compensation Data Center,\n       which is run by CSC contractors, that contains telecommunications equipment used by the\n       nine district offices and the National Office to connect to the mainframe.\n\n1.     DOL Needs to Strengthen Controls to Protect Its Information\n\nCurrent Year Findings and Recommendations\n\na. File Permissions\n\nDuring our FY 2000 audit, we found that file permissions were weak. Due to the sensitivity,\nspecific conditions are not listed; however, they were provided to the appropriate offices at the\ncompletion of the audit.\n\nThe following are several risks that exist governing the inappropriate establishment of file\npermissions.\n\n\xe2\x80\xa2      Improperly setting the umask variable in the user\xe2\x80\x99s .profile, .login or .cshrc file increases\n       the risk that unauthorized users will modify or delete files created by other users.\n\xe2\x80\xa2      Improper permissions on HOME directories or login scripts could potentially allow a user\n       to obtain the level of access of another ID on the server. If the compromised ID is\n       business-critical, then this vulnerability is high-risk and could be exploited to gain\n       privileged access on the server.\n\xe2\x80\xa2      System configuration files and other files writeable by other users increase the risk that\n       unauthorized users delete or modify these files.\n\nThe following criteria were used in reporting this finding:\n\n       \xe2\x80\xa2       NISTIR 5153, Minimum Security Requirements for Multi-user Operating Systems\n       \xe2\x80\xa2       OMB Circular A-130, Appendix III, Security of Federal Automated Information\n               Resources\n\n\n\n\n                                                 26\n\x0cManagement concurred with the finding and took immediate corrective action; therefore, this\nissue is considered closed.\n\nb. Unix Path Variable\n\nDuring our FY 2000 audit, we found that the user PATH variable on the production server was\nnot adequately configured in a secure manner. Due to the sensitivity, specific conditions are not\nlisted; however, they were provided to the appropriate offices at the completion of the audit.\n\nInsecure PATH variables increase the risk that users will be \xe2\x80\x9cspoofed\xe2\x80\x9d by common system\ncommands such as \xe2\x80\x9cls,\xe2\x80\x9d (list files) which is executed instead of the system ls. For example, an\nunauthorized user could write a program that performs certain functions and call the program ls.\nWhen an authorized user invokes the ls command the bogus ls program could be executed.\n\nThe following criteria were used in reporting this finding:\n\n       \xe2\x80\xa2       NISTIR 5153, Minimum Security Requirements for Multi-user Operating Systems,\n\n       \xe2\x80\xa2       OMB Circular A-130, Appendix III, Security of Federal Automated Information\n               Resources\n\nManagement concurred with the finding and took immediate corrective action; therefore, this\nissue is considered closed.\n\nc. Generic Accounts\n\nDuring our FY 2000 audit, we found that users are not required to supply an individual user ID\nand password before accessing a generic account, including the root account, on two production\nservers. In addition, auditing should be enabled on both servers. Anonymous accounts weaken\naccountability. If many users can use the same account without first logging in with an individual\nuser ID and password, there is no way to distinguish which activities are performed by which\nusers. Auditing is required to ensure that user accountability is maintained.\n\nThe following criteria were used in reporting this finding:\n\n       \xe2\x80\xa2       NIST Special Publication 800-18, Guide for Developing Security Plans for\n               Information Technology Systems\n       \xe2\x80\xa2       OMB Circular A-130 Appendix III, Security of Federal Automated Information\n               Resources\n\n\n\n\n                                                 27\n\x0cRecommendation:\n\nThe following prior year recommendation to the Chief Information Officer and Assistant\nSecretaries pertains to this finding:\n\n\xe2\x80\xa2      ensure agency SSPs include specific technical standards (security settings, critical\n       system configurations, etc.), for each general support system and major application.\n\nManagement\'s Response:\n\nESA concurs with this finding. ESA is in the process of developing methods and procedures to\nimplement controls and expects to put those methods/procedures in place during FY 2001.\n\nOIG\'s Conclusion:\n\nWe concur with management\xe2\x80\x99s plans to correct these weaknesses. This recommendation is\nresolved and open pending our review of the corrective actions taken during the FY 2001 audit.\n\nd. System Warning Banners\n\nDuring our FY 2000 audit, we found that there was no system warning message in the /etc/motd\nfile on two production servers.\n\nIt is important to inform users of the sensitive nature of the resources they are using. ESA\xe2\x80\x99s\nability to prosecute criminals may be impacted by the lack of a warning message. It is also a good\npractice to proactively inform users that they are subject to audit.\n\nThe following criteria were used in reporting this finding:\n\n       \xe2\x80\xa2       OMB Circular A-130, Appendix III, Security of Federal Automated Information\n               Resources\n       \xe2\x80\xa2       NIST Special Publication 800-14, Generally Accepted Principles and Practices\n               for Securing Information Technology Systems\n\nManagement concurred with the finding and took immediate corrective action; therefore, this\nissue is considered closed.\n\ne. Password Aging\n\nDuring our FY 2000 audit, we found that password aging parameters were weak on two\nproduction servers. Due to the sensitivity, specific conditions are not listed; however, they were\nprovided to the appropriate offices at the completion of the audit.\n\n\n\n                                                 28\n\x0cPasswords unchanged over a long period of time give an intruder more time to try and crack\npasswords. In addition, password aging can also prevent users from rechanging their passwords\nbefore a minimum interval has elapsed. This will prevent users from quickly switching back to\ntheir old passwords.\n\nThe following criteria were used in reporting this finding:\n\n       \xe2\x80\xa2       NISTIR 5153, Minimum Security Requirements for Multi-user Operating Systems\n       \xe2\x80\xa2       OMB Circular A-130, Appendix III, Security of Federal Automated Information\n               Resources\n\nManagement concurred with the finding and took immediate corrective action; therefore, this\nissue is considered closed.\n\nf. Password Length\n\nDuring our FY 2000 audit, we found that the settings for the password length could be improved.\nSpecifically, we noted that the minimum length for passwords on two production servers is six\ncharacters. Management stated that ESA\'s policies and procedures are in compliance with the\nCIO computer Security Handbook and believes the finding should be addressed by the CIO.\nInadequate controls over the establishment of password parameters may lead to the risk of\npasswords being easily guessed allowing unauthorized users the ability to gain access to system\nresources.\n\nThe following criteria were used in reporting this finding:\n\n       \xe2\x80\xa2       NISTIR 5153, Minimum Security Requirements for Multi-user Operating\n               Systems, indicates that passwords shall meet a customer-specifiable minimum\n               length requirement. The system-supplied default minimum length shall be eight\n               characters.\n       \xe2\x80\xa2       OMB Circular A-130, Appendix III, Security of Federal Automated Information\n               Resources, established a minimum set of controls for agencies\xe2\x80\x99 automated\n               information security programs, including assigning responsibility for security,\n               security planning, periodic review of security controls, and management\n               authorization of systems to process information. Agencies are required to\n               establish controls to assure adequate security for all information processed,\n               transmitted or stored in Federal automated information systems.\n\nRecommendation:\n\nThe following prior year recommendation to the Chief Information Officer and Assistant\nSecretaries pertains to this finding:\n\n\n\n                                                 29\n\x0c\xe2\x80\xa2      ensure agency SSPs include specific technical standards (security settings, critical\n       system configurations, etc.), for each general support system and major application.\n\nManagement\'s Response:\n\nESA concurs with this finding. While ESA agrees that a minimum length of six characters as a\npassword could pose vulnerabilities, controls can be implemented to mitigate the vulnerabilities.\nIt should be noted that ESA already has, in place, mitigating controls for password length.\nClosure of this finding will be dependent on OIG review of these controls.\n\nOIG\'s Conclusion:\n\nThis recommendation is resolved and open pending our review of the compensating controls\nduring the FY 2001 audit.\n\ng. Unix Services\n\nDuring our FY 2000 audit, we found that unnecessary services are running on two production\nservers. Due to the sensitivity, specific conditions are not listed; however, they were provided to\nthe appropriate offices at the completion of the audit.\n\nThe r-services provide a large amount of risk to a system. They allow users to log in without\nauthenticating. The rstat daemon gives an intruder information about the host, including when the\nmachine was last booted, how much CPU it is using, how many disks it has, and how many\npackets have reached it, load average, network traffic, etc. Rusers provides information on users\non the host. It provides information on how busy the machine is and on login accounts an\nintruder can use in an attack. Obtained account information can be used by a scanner or attacker\nin a brute-force attack. Telnet is one of the larger risks to a system because it allows user ID and\npassword information to pass over the network in the clear. Any hacker on the network can sniff\nout this information and log in to the system as that user. Sessions can also be easily hijacked.\n\nThe following criteria were used in reporting this finding:\n\n       \xe2\x80\xa2       NIST Special Publication 800-18, Guide for Developing Security Plans for\n               Information Technology Systems\n       \xe2\x80\xa2       OMB Circular A-130 Appendix III, Security of Federal Automated Information\n               Resources\n\nRecommendation:\n\nThe following prior year recommendation to the Chief Information Officer and Assistant\nSecretaries pertains to this finding:\n\n\n\n                                                 30\n\x0c\xe2\x80\xa2      ensure agency SSPs include specific technical standards (security settings, critical\n       system configurations, etc.), for each general support system and major application.\n\nManagement\'s Response:\n\nESA concurs with this finding. While ESA agrees the conditions noted by the OIG could pose\nvulnerabilities, controls can be implemented to mitigate the vulnerabilities. It should be noted that\nESA already has, in place, mitigating controls for the conditions noted. Closure of this finding\nwill be dependent on OIG review of these controls.\n\nOIG\'s Conclusion:\n\nThis recommendation is resolved and open pending our review of the compensating controls\nduring the FY 2001 audit.\n\nh. Trust Relationships\n\nDuring our FY 2000 audit, we found that overly broad trust relationships are used. Due to the\nsensitivity, specific conditions are not listed; however, they were provided to the appropriate\noffices at the completion of the audit.\n\nUsing trust relationships could potentially expose the server. If a trusted computer or user is\ncompromised, this could allow a user to gain remote access to the server without entering a\npassword.\n\nThe following criteria were used in reporting this finding:\n\n       \xe2\x80\xa2       NISTIR 5153\n       \xe2\x80\xa2       OMB Circular A-130 Appendix III, Security of Federal Automated Information\n               Resources\n\nRecommendation:\n\nThe following prior year recommendation to the Chief Information Officer and Assistant\nSecretaries pertains to this finding:\n\n\xe2\x80\xa2      ensure agency SSPs include specific technical standards (security settings, critical\n       system configurations, etc.), for each general support system and major application.\n\n\n\n\n                                                 31\n\x0cManagement\'s Response:\n\nESA concurs that there is a need to strengthen controls over its trust relationships and is currently\nreviewing and documenting specific trust relationships. Closure of this finding is dependent on\nthe OIG reviewing the documented trust relationships.\n\nOIG\'s Conclusion:\n\nThis recommendation is resolved and open pending our review of the documentation of the trust\nrelationships during the FY 2001 audit.\n\ni. Entitywide Security Program Plan\n\nDuring our FY 2000 audit, we found that the Division of Coal Mine Workers\xe2\x80\x99 Compensation\n(DCMWC), a division within ESA that administers ASP, is not subject to follow ESA\xe2\x80\x99s policies\nand procedures resulting in security policies and procedures that:\n\n\xe2\x80\xa2      do not contain all of components required by the DOL CIO\xe2\x80\x99s Computer Security\n       Handbook (CSHB) or ESA\'s plans; and\n\xe2\x80\xa2      duplicate the efforts of ESA, such as in the development of:\n       \xe2\x80\xa2       security awareness training programs\n       \xe2\x80\xa2       incident response capabilities\n\nIn addition, the DCMWC security management structure is not included in ESA\xe2\x80\x99s security\nmanagement structure. Program Offices are not effectively utilizing ESA\'s centralized security\noffice that has dedicated resources to provide policies and procedures that are consistent with\nESA\'s security objectives and the CIO\'s CSHB; therefore, program offices may be duplicating\nefforts arising to inefficient use of resources and/or developing policies and procedures that are\ninconsistent with ESA\'s objectives.\n\nThe following criterion was used in reporting this finding:\n\n       \xe2\x80\xa2       ESA GSS SSP\n\nRecommendation:\n\nThe following prior year recommendation to the Chief Information Officer and Assistant\nSecretaries pertains to this finding:\n\n\xe2\x80\xa2      ensure agency entitywide security programs are developed, documented and\n       implemented for all departmental systems. The programs should include an up-to-date\n       security plan, risk assessments, security management structure, and access monitoring.\n\n\n\n                                                 32\n\x0cManagement\'s Response:\n\nESA does not concur with the finding that efforts to develop security awareness training\nprograms nor incident response capabilities result in duplication of effort. ESA\xe2\x80\x99s IT Security\nTraining and Awareness Program, as well as the policies and procedures which result from this\nProgram, are being developed at a centralized level within ESA. Program-specific security\nawareness and training, e.g., that training which is applicable to specific applications, will be\ndeveloped at the Program level. The same is true for incident reporting.\n\nThe DCMWC ASP system is not currently under ESA IT management. Because this system is\ncompletely separated from ESA IT systems, DCMWC is responsible for its management and\noversight. This system is operated under contract by CSC on a CSC owned and operated\nmainframe. However, as noted in our January 3, 2001, response to the \xe2\x80\x9cStatement of Facts,\xe2\x80\x9d\nDCMWC is in the process of migrating to a client server system modeled after the ESA IT\narchitecture. Once this new system is implemented DCMWC will work with ESA IT staff to fully\nintegrate it into the ESA IT environment. In fact, this conversion to the ESA IT model is part of\nDCMWC\xe2\x80\x99s long-standing plan to eliminate duplicate efforts, reduce costs and achieve economies\nof scale by placing DCMWC IT systems under ESA IT management. Upon integration, the ESA\nsecurity plans will be updated to incorporate ASP security plans, and redundant programs will be\neliminated.\n\nWith respect to the comment regarding the ASP security plan, DCMWC has a comprehensive\nsecurity plan and extensive documentation regarding this plan. This plan, which covers both the\nGSS and MA, meets all of DOL\xe2\x80\x99s substantive requirements, but because this plan pre-dates the\nDOL guidelines the documentation does not conform to the format prescribed by the Department.\nAs indicated in numerous discussions with DOL and the OIG, as part of the client server\nimplementation process, DCMWC will update this security plan to cover the new system and will\nconform the plan to DOL guidelines.\n\nOIG\'s Conclusion:\n\nWhile ESA disagrees with the OIG assessment of duplicated effort caused by DCMWC\nindependence, ESA is currently working to incorporate DCMWC into the ESA IT model and\nenvironment. This recommendation is resolved and open. Resolution will depend on the OIG\nreview of the ESA IT environment after DCMWC has been fully incorporated into it.\n\nj. Accreditation and Security Reviews\n\nDuring our FY 2000 audit, we found that: (1) an application controls review has not been\nperformed on the ESA MAs, specifically, BCDS/CMP, LS, and ASP; however, an application\ncontrols review is in progress for FECS, and (2) an accreditation statement does not exist for\nBCDS/CMP, LS, and ASP.\n\n\n\n                                                 33\n\x0cIn the absence of independent reviews or audits of application controls, the integrity, reliability,\nand availability of data within the systems identified may be overlooked.\n\nThe following criteria were used in reporting this finding:\n\n       \xe2\x80\xa2       NIST Special Publication 800-18, Guide for Developing Security Plans for\n               Information Technology Systems\n       \xe2\x80\xa2       OMB Circular A-130 Appendix III, Security of Federal Automated Information\n               Resources\n\nRecommendation:\n\nThe following prior year recommendation to the Chief Information Officer and Assistant\nSecretaries pertains to this finding:\n\n\xe2\x80\xa2      ensure that agencies are in compliance with the computer security handbook by\n       verifying that all financially significant applications and support systems have been\n       properly accredited and that independent functional reviews are conducted at least\n       every 3 years.\n\nManagement\'s Response:\n\nESA concurs with the findings related to the application controls reviews not being performed on\nBCDS/CMP, LS and ASP.\n\nESA also concurs that accreditation statements do not exist for BCDS/CMP or ASP. However,\naccreditation statements for Longshore were provided on December 20, 2000 and are\ndocumented in the Program\xe2\x80\x99s system security plans.\n\nIn order to abate these problems ESA has been in the process, over the past year, of restructuring\nits information security processes, including identification of an agency-wide computer security\nofficer, and program-specific security officers. ESA plans, during FY 2001, to develop a schedule\nfor the periodic for application reviews, risk assessments and system security plan revisions.\n\nAs noted above DCMWC is in the final stages of replacing the ASP system with a new client\nserver system. The Office of the Inspector General recently completed an extensive \xe2\x80\x9cSecurity\nTesting and Evaluation Audit\xe2\x80\x9d of this system. Additional reviews will be conducted as required.\nAn accreditation statement will be issued in conjunction with implementation of the new system.\n\nOIG\'s Conclusion:\n\nWe concur with management\xe2\x80\x99s plans to correct these weaknesses. This recommendation is\nresolved and open pending our review of the corrective actions taken during the FY 2001 audit.\n\n\n                                                  34\n\x0cHowever, ESA noted the OIG has completed a \xe2\x80\x9cSecurity and Testing Evaluation Audit\xe2\x80\x9d as a step\nin the certification process. This audit has not been issued and issues identified from the audit\nneed to be addressed before certification.\n\nk. Policies and Procedures for Clearing/Sanitizing Media Containing Sensitive Data\n\nDuring our FY 2000 audit, we found that policies and procedures for clearing/sanitizing sensitive\ndata and software from discarded and transferred equipment and media have not been developed\nand implemented. Without adequate controls for ensuring data and software are properly\ndisposed and/or transferred, the risk exists that sensitive information may be disclosed to\nunauthorized individuals or parties. ESA is in the process of assessing the need for developing\npolicies and procedures related to labeling, transmitting, securing, and disposing of sensitive data\nand media.\n\nThe following criterion was used in reporting this finding:\n\n       \xe2\x80\xa2       NIST Special Publication 800-12, An Introduction to Computer Security\n\nRecommendation:\n\nThe following prior year recommendation to the Chief Information Officer and Assistant\nSecretaries pertains to this finding:\n\n\xe2\x80\xa2      ensure agency SSPs are in compliance with the computer security handbook and that\n       agency SSPs (for its GSS and MAs) include appropriate controls for the protection of\n       physical environment in which system hardware, backups, telecommunication\n       equipment, and other sensitive components reside.\n\nManagement\'s Response:\n\nESA concurs with this finding. It should be noted that ESA has developed a draft policy and\nprocedures which will ensure that ESA has methodologies in place for the sanitation of all media\nprior to its being surplussed or transferred.\n\nOIG\'s Conclusion:\n\nThis recommendation is resolved and open pending our review of the corrective actions taken\nduring the FY 2001 audit.\n\nl. Logical Controls over the Authorizing and Periodic Monitoring of User Access\n\nDuring our FY 2000 audit, we found that controls over the authorizing and periodic monitoring\nof users having logical access to ESA\xe2\x80\x99s ASP mainframe application require improvement.\n\n\n                                                 35\n\x0c\xe2\x80\xa2      Standard Access Request Forms granting logical access to the ASP mainframe application\n       were not adequately documented. Specifically, the following weaknesses were identified:\n\n       \xe2\x80\xa2       3 of the 18 forms tested did not contain information justifying the users access as\n               required on the form, and\n       \xe2\x80\xa2       4 of the 18 forms tested did not contain the data security officer\xe2\x80\x99s signature\n               approving the access being granted.\n\n\xe2\x80\xa2      Monitoring of TSO accounts having access to the ASP Mainframe application was not\n       adequately performed resulting in obsolete and/or inappropriate access to the system.\n       Specifically, we noted the following weaknesses:\n\n       \xe2\x80\xa2       28 accounts were marked as canceled and deemed obsolete, however remain on\n               the system,\n       \xe2\x80\xa2       6 users had multiple active accounts,\n       \xe2\x80\xa2       1 active account was labeled "unassigned" and deemed inappropriate, and\n       \xe2\x80\xa2       32 accounts deemed active have not been accessed for at least 90 days ranging to\n               6 years.\n\nWithout clearly defined policies, procedures and assignment for security administration, security\nadministrators may not fully be aware of management\xe2\x80\x99s security objectives and may not be\nconsistently performing the necessary procedures required to provide effective control. Thus,\ninadequate controls over the monitoring and removal of obsolete, inactive, or IDS not assigned to\na specific individual, from the system increases the risk of unauthorized access to system\nresources.\n\nThe following criteria were used in reporting this finding:\n\n       \xe2\x80\xa2       NIST Special Publication 800-14, Generally Accepted Principles and Practices\n               for Securing Information Technology Systems\n       \xe2\x80\xa2       OMB Circular A-130 Appendix III, Security of Federal Automated Information\n               Resources\n       \xe2\x80\xa2       ESA GSS SSP\n\nRecommendations:\n\nThe following prior year recommendation to the Chief Information Officer and Assistant\nSecretaries pertains to this finding:\n\n\xe2\x80\xa2      ensure agencies are in compliance with the computer security handbook and that\n       agency SSPs contain sufficient policies and procedures governing the authorizing,\n       modification, removal, monitoring of access based on the concept of \xe2\x80\x9cleast privileged,\xe2\x80\x9d\n       and the emergency access. A recertification should be conducted of all IDS on the\n\n\n                                                 36\n\x0c       system and the business need documented. In addition, IDS that have been granted\n       access to production programs and data (outside of the application) should be\n       restricted from this level of access.\n\nManagement\'s Response:\n\nAs noted to the OIG auditors and staff, DCMWC is in the process of replacing the ASP\nmainframe with a new client server system. This system will be implemented in the current\ncalendar quarter. Upon implementation the specific examples cited will be moot. In conjunction\nwith system implementation, DCMWC will ensure that logical controls are clearly documented\nand understand. As noted previously, DCMWC will update its security plan documentation to\ninclude such controls and to conform to OCIO and NIST guidelines.\n\nOIG\'s Conclusion:\n\nThis recommendation is resolved and open pending our review of the implementation of the\npolicy and procedures for the new ASP system, and for the non-existence of the weaknesses\nidentified.\n\nStatus of Prior Year Findings and Recommendations\n\nRisk Assessment\n\nDuring our FY 1998 audit (OIG Report No. 12-99-002-13-001), we found that ESA does not\nhave a completed/approved risk assessment that considers data sensitivity and integrity, the range\nof risks to the entity\xe2\x80\x99s systems and data, and resource classifications over its GSS and MAs. We\nmade the following recommendation to the Chief Information Officer and Assistant Secretaries:\n\n\xe2\x80\xa2      ensure entitywide security programs are developed, documented and implemented for\n       all departmental systems. The programs should include an up-to-date security plan,\n       risk assessment, security management structure, and access monitoring.\n\nDuring our FY 2000 audit, we found that risk assessments have been performed and documented\nfor the ESA GSS and the MAs; however, they are in the process of being reviewed and approved\nby the CIO. It should also be noted that resource classifications and criteria have been established\nfor the GSS and MAs except for ASP. This recommendation is considered resolved and open.\nClosure of this recommendation depends upon our review of ESA\xe2\x80\x99s reviewed and approved risk\nassessment.\n\n\n\n\n                                                37\n\x0cManagement\'s Response:\n\nESA concurs with this response. All comments on ESA risk assessments have been received from\nthe OCIO and all but one revised assessment has been returned to the OCIO. The remaining risk\nassessment is currently being completed.\n\n(Black Lung ASP) Resource classifications and criteria will be established for the new ASP in\nconjunction with implementation.\n\nOIG\'s Conclusion:\n\nThis recommendation remains resolved and open pending our review of the completed risk\nassessments and ASP\xe2\x80\x99s resource classifications during the FY 2001 audit.\n\nEntitywide Security Program Plan\n\nDuring our FYs 1997 and 1998 audits (OIG Report Nos. 12-99-002-13-001 and 12-98-002-13-\n001), we found that ESA does not have a formally approved entitywide security plan for its GSS\nand MAs. We made the following recommendations to the Chief Information Officer and\nAssistant Secretaries:\n\n\xe2\x80\xa2      ensure entitywide security programs are developed, documented and implemented for\n       all departmental systems. The programs should include an up-to-date security plan,\n       risk assessment, security management structure, and access monitoring, and\n\xe2\x80\xa2      ensure computer security plans are developed and implemented for all departmental\n       systems.\n\nDuring our FY 2000 audit, we found that security plans have been established and documented\nfor ESA\'s GSS, and the following MAs: LS, BCDS and CMP are awaiting approval from the\nCIO. An MA security plan for FECS is currently under development. The documents that make\nup the ASP mainframe security plan do not meet the requirements outlined by the CIO for an MA\nSystem Security Plan (SSP). In addition, though policies and procedures have been established in\nthe security plan for certain security activities (i.e., ongoing security awareness training, incident\nresponse capability, security management structure), funding to fully implement these are not\nexpected until FY 2001. These recommendations remain resolved and open. Closure depends\nupon our review of ESA\xe2\x80\x99s completed security plans for all MA\xe2\x80\x99s.\n\nManagement\'s Response:\n\nWhile ESA concurs with this finding, it should be noted that a system security plan for FECS was\ncompleted and delivered to the CIO for review on September 27, 2000 (as noted to the OIG on\nDecember 20), and the OCIO has already returned comments on that plan. ESA will continue to\nfinalize other security plans as comments are received from the OCIO.\n\n\n                                                 38\n\x0c(Black Lung ASP) As noted above, DCMWC has an extensive security plan that predates the CIO\nguidelines. This plan meets the substantive requirements of these guidelines but does not conform\nto the CIO format. DCMWC will update its security plan to accommodate the client server\nsystem and conform it to the CIO requirements.\n\nOIG\'s Conclusion:\n\nThese recommendations remain resolved and open pending our review of the corrective actions\ntaken during the FY 2001 audit.\n\nSecurity Management Structure and Security Responsibilities\n\nDuring our FY 1998 audit (OIG Report No. 12-99-002-13-001), we found that ESA does not\nhave a formally established security management structure with clearly assigned security\nresponsibilities over ESA and its various programs. We made the following recommendation to\nthe Chief Information Officer and Assistant Secretaries:\n\n\xe2\x80\xa2      ensure entitywide security programs are developed, documented and implemented for\n       all departmental systems. The programs should include an up-to-date security plan,\n       risk assessment, security management structure, and access monitoring.\n\nDuring our FY 2000 audit, we found that the ESA GSS SSP establishes a security management\nstructure with adequate independence, authority, and expertise; and an information systems\nsecurity manager has been appointed at an overall level and at appropriate subordinate levels.\nHowever, the following should be noted:\n\n\xe2\x80\xa2      The security responsibilities of the DITMS Division Director are not clearly established\n       and documented in the ESA GSS SSP.\n\xe2\x80\xa2      The security responsibilities of the MA System Owners are not addressed and are due to\n       be completed with the MA SSPs in FY 2001.\n\xe2\x80\xa2      The MA Program Computer Security Officers have not been established and are due to be\n       determined and documented with the MA SSPs due to be completed in FY 2001.\n\xe2\x80\xa2      The ESA GSS SSP does not include ASP; thus, the DCMWC security management\n       structure for ASP is not documented within the ESA GSS SSP.\n\nIn addition, for ASP:\n\n\xe2\x80\xa2      Security roles and responsibilities have not been established and documented for the\n       Security Officer and the DOL Security Backups.\n\xe2\x80\xa2      The DCMWC organization chart does not identify the security function/management.\n\n\n\n\n                                               39\n\x0cThis recommendation remains resolved and open. Closure is dependent on the verification of an\nindependent security administration for all of ESA\xe2\x80\x99s financially significant systems and our review\nof the ESA\xe2\x80\x99s system security plan (SSP).\n\nManagement\'s Response:\n\nESA concurs that its General Support System Security Plan (SSP) does not contain security\nresponsibilities for the Director of DITMS nor the major application System Owners. When ESA\ndeveloped this Plan, these responsibilities were drafted, but were deleted from the document.\nESA will incorporate these responsibilities into the next version of this Plan, which will be\nprepared as a result of OCIO comments once their review is completed.\n\nESA does not concur with the finding that Program Computer Security officers were not\ndesignated for each Program. They were established as part of the development of each major\napplication\xe2\x80\x99s security plan. Copies of the memoranda designating these individuals have\npreviously been provided to the OIG.\n\nIt should be noted that the DCMWC security management structure for ASP should be noted in\nthat application\xe2\x80\x99s system security plan, and in the system security plan for the DCMWC general\nsupport system; the DCMWC infrastructure is separate from the ESA Enterprise Infrastructure.\n\n(Black Lung ASP) As indicated above, upon integration with the ESA IT environment, the ASP\nsystem will be integrated into the ESA GSS SSP. Roles and responsibilities for the new ASP\nhave been established and will be documented in conjunction with system implementation. The\norganization chart will be updated to reflect the security function.\n\nOIG\'s Conclusion:\n\nThis recommendation remains resolved and open pending our review of the corrective actions\ntaken and the review of any documentation submitted during the FY 2001 audit.\n\nSecurity-Related Personnel Policies\n\nDuring our FYs 1997 and 1999 audits (OIG Report Nos. 12-00-003-13-001 and 12-98-002-13-\n001), we found that ESA has not implemented effective security controls related to personnel\npolicies and procedures. We made the following recommendations to the Chief Information\nOfficer and Assistant Secretaries:\n\n\xe2\x80\xa2      ensure that all applicable employees and contractors receive the required training and\n       maintain appropriate documentation (e.g., list of all employees as of the training\n       course date, attendance sheet of employees taking the course, topics, agendas,\n       handouts, etc., provided during the program),\n\n\n\n                                                40\n\x0c\xe2\x80\xa2      ensure computer security plans include procedures for proper termination of system\n       access of former employees, and those procedures be implemented, and\n\xe2\x80\xa2      ensure a background check is conducted for all government and contractor\n       management personnel with high levels of system access.\n\nDuring our FY 2000 audit, we found that ESA has developed/approved an entitywide security\nplan, ESA GSS SSP that addresses security-related personnel policies. In addition, ESA plans to\nreview the appropriateness of existing procedures regarding position sensitivity related issues and\nbackground screening and to consider the DOL Personnel Security Program for implementation.\nFunding permitting, ESA plans to implement a comprehensive personnel security-screening\nprogram in FY 2001. These recommendations remain resolved and open. Closure is dependent\non ensuring that ESA\xe2\x80\x99s SSP, which addresses security clearances, has been developed and issued,\nand the correction of any deficiencies that have previously been identified or would exist as a\nresult of the issuance of the new security policy have seen made.\n\nManagement\'s Response:\n\nESA concurs with this finding. As stated, ESA has begun, in FY 2001, to develop a more\ncomprehensive personnel-security program.\n\nOIG\'s Conclusion:\n\nThese recommendations remain resolved and open pending our review of the ESA\xe2\x80\x99s personnel-\nsecurity program during the FY 2001 audit.\n\nLogical Controls to Prevent or Detect Unauthorized Access\n\nDuring our FYs 1998 and 1999 audits (OIG Report Nos. 12-99-002-13-001 and 12-00-003-13-\n001), we found that controls over the authorizing and periodic monitoring of users having logical\naccess to ESA\xe2\x80\x99s FECS mainframe application require improvement. We made the following\nrecommendations to the Chief Information Officer and Assistant Secretaries:\n\n\xe2\x80\xa2      ensure agencies are in compliance with the computer security handbook and that\n       agency SSPs contain sufficient policies and procedures governing the authorizing,\n       modification, removal, monitoring of access based on the concept of \xe2\x80\x9cleast privileged,\xe2\x80\x9d\n       and the emergency access. A recertification should be conducted of all IDS on the\n       system and the business need documented. In addition, IDS that have been granted\n       access to production programs and data (outside of the application) should be\n       restricted from this level of access, and\n\xe2\x80\xa2      ensure all departmental Computer Security Plans have policies and procedures for\n       user access, physical access, and monitoring of sensitive and critical resource access\n\n\n\n\n                                                41\n\x0cDuring our FY 2000 audit, we found that FECS management is the process of improving the\ncontrols over authorizing and monitoring logical access to the mainframe by developing an MA\nSSP for FECS that will cover the entire security and operating environment that includes both the\nmainframe and client server platforms. These recommendations remain resolved and open.\nClosure depends upon our review of ESA\xe2\x80\x99s improved controls over the authorizing and periodic\nmonitoring of users having logical access to ESA\xe2\x80\x99s FECS mainframe application.\n\nManagement\'s Response:\n\n{blank per agency request}\n\nAccess Monitoring and Security Violations\n\nDuring our FY 1999 audit (OIG Report No. 12-00-003-13-001), we found that ESA security\nmonitoring controls over the mainframe environment needs improvement. We made the following\nrecommendation to the Chief Information Officer and Assistant Secretaries:\n\n\xe2\x80\xa2      ensure agencies are in compliance with the computer security handbook and that\n       agency SSPs include appropriate policies and procedures for the monitoring of\n       inappropriate or unusual activity occurring on the system. Policies and procedures\n       should include, but are not limited to management\xe2\x80\x99s determination of what should be\n       recorded on logs and what constitutes a violation of the policy, frequency of reviews,\n       reporting and escalation processes, and maintenance of documentation (manual or\n       automated) for audit trail purposes, etc.\n\nDuring our FY 2000 audit, we found that FECS management is currently improving the controls\nover authorizing and monitoring logical access to the mainframe by developing an MA SSP for\nFECS that will cover the entire security and operating environment that includes both the\nmainframe and client server platforms. This recommendation is resolved and open. Closure of\nthis recommendation is dependent on our review of ESA\xe2\x80\x99s SSPs containing inappropriate or\nunusual activity response procedures for the financially significant applications and support\nsystems.\n\nManagement\'s Response:\n\n{blank per agency request}\n\nLogical Controls to Prevent or Detect Unauthorized Access\n\nDuring our FYs 1998 and 1999 audits (OIG Report No. 12-99-002-13-001 and 12-00-003-13-\n001), we found that controls over the authorizing and periodic security monitoring of users having\nlogical access to ESA\xe2\x80\x99s UNIX environment require improvement. We made the following\nrecommendations to the Chief Information Officer and Assistant Secretaries:\n\n\n                                               42\n\x0c\xe2\x80\xa2      ensure agencies are in compliance with the computer security handbook and that\n       agency SSPs contain sufficient policies and procedures governing the authorizing,\n       modification, removal, monitoring of access based on the concept of \xe2\x80\x9cleast privileged,\xe2\x80\x9d\n       and the emergency access. A recertification should be conducted of all IDS on the\n       system and the business need documented. In addition, IDS that have been granted\n       access to production programs and data (outside of the application) should be\n       restricted from this level of access, and\n\xe2\x80\xa2      ensure all departmental Computer Security Plans have policies and procedures for\n       user access, physical access, and monitoring of sensitive and critical resource access.\n\nDuring our FY 2000 audit, we found that DITMS management is in the process of improving the\ncontrols over authorizing and monitoring logical access to the UNIX environment. Testing\nperformed as part of the FY 2000 audit noted the following:\n\n\xe2\x80\xa2      2 of the 20 ESA Access Authorization Forms were not available for review,\n\xe2\x80\xa2      3 of the 20 ESA Access Authorization Forms were missing the user privacy understanding\n       section, and\n\xe2\x80\xa2      14 program specific forms were not provided.\n\nHowever, it should be noted:\n\n\xe2\x80\xa2      ESA\'s Office of Management, Administration and Planning Division of Automated\n       Systems Management Procedures Manual, Request for Government Issued User Accounts\n       and Services, requires the use of Authorization Documentation.\n\xe2\x80\xa2      ESA\'s Security Officer is in the process of completing a recertification of users on the\n       FECS, LS, BCDS and CMP systems.\n\nThese recommendations remain resolved and open. Closure depends on our review of the\nESA\xe2\x80\x99s improved controls over the authorizing and periodic security monitoring of users having\nlogical access to ESA\xe2\x80\x99s UNIX environment.\n\nManagement\'s Response:\n\nESA concurs with this finding. ESA is currently in the process of performing its scheduled yearly\naudit to ensure validity of system users. It should be noted, however, that this audit is not being\nconducted by the ESA Security Officer alone. This audit is being conducted by the Chief of the\nBranch of Operations and Support, ESA Systems Managers, and the ESA Security Officer. In the\ncase of the three forms where the privacy information was not completed, it should be noted that\nthose forms were completed after ESA modified procedures removing this section from its form.\nThe modification was made in response to concerns by local unions. ESA will investigate the\nrequirements for privacy notification/understanding and, based on that review, will re-insert the\nprivacy language if the investigation warrants it.\n\n\n\n                                                43\n\x0cOIG\'s Conclusion:\n\nThese recommendations remain resolved and open pending our review of the corrective actions\ntaken during the FY 2001 audit.\n\nPhysical Controls to Prevent or Detect Unauthorized Access\n\nDuring our FYs 1998 and 1999 audits (OIG Report Nos. 12-99-002-13-001 and 12-00-003-13-\n001), we found that physical controls to prevent or detect unauthorized or inappropriate access to\nthe DITMS data center need improvement. We made the following recommendations to the\nChief Information Officer and Assistant Secretaries:\n\n\xe2\x80\xa2      ensure agencies are in compliance with the computer security handbook and that\n       agency SSPs include appropriate controls for the protection of the physical\n       environment in which system hardware, backups, telecommunication equipment, and\n       other sensitive components reside. In addition, we recommend agency SSPs include\n       specific technical standards (security settings, critical system configurations, etc.) for\n       each general support system and major application, and\n\xe2\x80\xa2      ensure all departmental Computer Security Plans have policies and procedures for\n       user access, physical access, and monitoring of sensitive and critical resource access.\n\nDuring our FY 2000 audit, we found that DITMS management is in the process of implementing\nthe new ESA Computer Room access policies and procedures. ESA has implemented new\nphysical access request forms that appear sufficient to document the critical information needed\nwhen granting access to the DITMS data center and policies for handling defective or unused\ncards. In addition, ESA implemented a card-key system in June of 2000 providing additional\nsecurity features and monitoring tools over the DITMS data center. These recommendations are\nresolved and open. Closure is dependent on our review of the physical access controls to\nDITMS data center during the FY 2001 financial statement audit.\n\nManagement\'s Response:\n\nESA concurs with this finding. However, it should be noted that the ESA Computer Room\nAccess Policy and Procedures was finalized in August 2000.\n\nOIG\'s Conclusion:\n\nThese recommendations remain resolved and open pending our review of the corrective actions\ntaken during the FY 2001 audit.\n\n\n\n\n                                               44\n\x0c2.     DOL Needs to Fully Implement a Systems Development Life Cycle Methodology\n\nStatus of Prior Year Findings and Recommendations\n\nDocumentation\n\nDuring our FY 1998 and FY 1999 audits (OIG Report Nos. 12-98-002-13-001 and 12-00-003-\n13-001), we found that:\n\n\xe2\x80\xa2      The System Development methodology and the Configuration Change Management\n       procedures have not been formally documented and implemented for FECA.\n\xe2\x80\xa2      Documentation of FECS technical programming and user operations is inadequate.\n\nWe made the following recommendations to the Chief Information Officer and Assistant\nSecretaries:\n\n\xe2\x80\xa2      ensure the \xe2\x80\x9cDepartment of Labor Computer System Development Life Cycle (SDLC)\n       Manual\xe2\x80\x9d that addresses policies and procedures for documenting various aspects of\n       the system (including user manuals) and under what conditions documentation should\n       be updated. The manual should be reviewed and approved by all agency heads, issued,\n       and followed, and\n\xe2\x80\xa2      ensure that the SDLC process is followed by all DOL and contractor personnel who are\n       developing, acquiring, or managing new systems or making enhancements to existing\n       systems.\n\nDuring our FY 2000 audit, we found that revised mainframe application change control\nprocedures were scheduled to be incorporated into the ESA General Support System in FY 2001.\nThese recommendations are resolved and open. Closure is dependent upon our review of the\nSDLC policies and procedures.\n\nManagement\'s Response:\n\n{Blank per agency request}\n\nLibrary Management Software\n\nDuring our FY 1999 audit (OIG Report No. 12-00-003-13-001), we found that the Library\nmanagement software installed on the mainframe used to process the FECA application is not\nbeing used to manage or control the FECA source code. We made the following\nrecommendations to the Chief Information Officer and Assistant Secretaries:\n\n\xe2\x80\xa2      ensure that its system development life cycle methodology, that is to be followed by the\n       agencies, includes policies and procedures for emergency changes, the separation of\n\n\n                                              45\n\x0c       duties of development and support staff from the production environment, and the\n       usage of automated library management tools, and\n\xe2\x80\xa2      ensure agency compliance with the SDLC manual and institute emergency change\n       control procedures, thus allowing access to the system when unexpected events arise.\n\nDuring our FY 2000 audit, we found that the version control software CA-Librarian has been\ninstalled and procedures for moving source code under control of this software are being\ndeveloped. In the interim, manual procedures for implementing version control and for a change\ncontrol process have been developed and recently implemented. These recommendations are\nresolved and open. Closure is dependent on our review of ESA\xe2\x80\x99s revised SDLC guidance on\nemergency changes, the separation of duties, and the usage of automated library management\ntools.\n\nManagement\'s Response:\n\n{Blank per agency request}\n\nControlling Libraries\n\nDuring our FY 1999 audit (OIG Report No. 12-00-003-13-001), we found that FECA program\ndevelopment staff has access to production and test environments; mainframe programmers may\nmove changes to the production environment. We made the following recommendations to the\nChief Information Officer and Assistant Secretaries:\n\n\xe2\x80\xa2      ensure that the SDLC manual provide for the establishment of control points for\n       formally requesting, approving, and testing system software changes, and that these\n       controls are implemented and followed, and\n\xe2\x80\xa2      ensure that its computer security handbook include, in the separation of duties and\n       least privilege sections of the SSP Guide, that agency heads identify and document\n       incompatible duties for general support systems and major applications.\n\nDuring our FY 2000 audit, we found that FECS management is currently working with SunGard\nto ensure that developers cannot access production libraries by reviewing all access control lists\nfor production data sets. These recommendations are unresolved. Resolution is dependent upon\nthe OIG review of the ESA\xe2\x80\x99s computer security handbook with guidance on granting and\nmonitoring of access and documentation that reviews have been scheduled of ESA\xe2\x80\x99s financially\nsignificant systems for implemented policies on governing access.\n\nManagement\'s Response:\n\n{Blank per agency request}\n\n\n\n\n                                               46\n\x0c3.     DOL Needs to Complete and Fully Test Its Plan(s) for Maintaining Continuity of\n       Operations\n\nStatus of Prior Year Findings and Recommendations\n\nDisaster Recovery Plan\n\nDuring our FY 1999 audit (OIG Report No. 12-00-003-13-001), we found that a complete\ninventory of items such as computer hardware, software, and telecommunications needed for\noperations is not included in the ESA disaster recovery/business continuity plan. We made the\nfollowing recommendations to the Chief Information Officer and Assistant Secretaries:\n\n\xe2\x80\xa2      ensure agencies are in compliance with the computer security handbook by ensuring\n       each agency develops the required contingency plan. In addition, agencies should\n       ensure that: arrangements have been made for an alternate processing facility; plans\n       are stored at the off-site storage facility; plans include sufficient guidelines for\n       developing roles, responsibilities and recovery instructions, training for primary and\n       backup personnel, and frequency of updates, etc., and\n\xe2\x80\xa2      ensure that written disaster recovery plans are developed where needed.\n\nDuring our FY 2000 audit, we found that ESA will continue to work with the Department as it\nrefines its approach to contingency and disaster planning. Once final guidance is issued, ESA will\nbegin an agency-wide effort to reassess its contingency and disaster planning efforts and will take\nactions, if necessary, to correct any problems or deficiencies noted. These recommendations are\nresolved and open. Closure is dependent on our review of ESA\xe2\x80\x99s completed contingency plans,\nwhich include a complete inventory of items such as computer hardware, software, and\ntelecommunications needed for operations, for ESA\xe2\x80\x99s financially significant systems and their\nsupport systems.\n\nManagement\'s Response:\n\nESA concurs with this finding. ESA has already begun a reassessment of its contingency and\ndisaster planning efforts in lieu of Departmental guidance. The completed contingency and\ndisaster planning documents will contain all information noted, such as a complete inventory of\nhardware and software.\n\nOIG\'s Conclusion:\n\nThese recommendations remain resolved and open pending our review of the corrective actions\ntaken during the FY 2001 audit.\n\n\n\n\n                                                47\n\x0c               MINE SAFETY AND HEALTH ADMINISTRATION (MSHA)\n\nWe tested general controls and security over EDP systems of the MSHA as they pertain to the\nfollowing critical financial application:\n\n\xe2\x80\xa2      Assessments Database Management System (ADBMS)\n\nGAO\xe2\x80\x99s Federal Information System Controls Audit Manual (FISCAM) was used to guide testing.\nThe scope of testing included the six FISCAM general controls sections: (1) Entitywide Security\nProgram Planning and Management (SP), (2) Access Controls (AC), (3), Application Software\nDevelopment and Change Control (CC), (4) System Software (SS), (5) Segregation of Duties\n(SD), and (6) Service Continuity (SC).\n\nThe ADBMS application resides on the Honeywell Bull mainframe DPS-9000 computer system\nlocated at the Defense Enterprise Computing Center (DECC) in San Antonio, Texas. In addition,\nthe Directorate of Program Evaluation and Information Resources (PEIR), Information Resource\nCenter, Division of Systems Operations and Communications, located in Lakewood, Colorado,\ncontains telecommunications equipment used by MSHA to connect to the DECC Bull Mainframe,\nDPS-9000. ADBMS consists of an online telecommunications network linking the Wilkes-Barre\nAssessment Center, the Arlington Assessment Office and the Civil Penalty Compliance Office\n(CPCO) to the Honeywell Bull mainframe DPS-9000 computer system.\n\nThe PEIR group is responsible for application development and maintenance. Our scope was\nlimited to the EDP controls that are the responsibility of MSHA and the MSHA controls as they\nrelate to the Bull mainframe processing of ADBMS. Limited testing was performed at the DECC\nthat supports and maintains the mainframe operating system and physical environment used to\nprocess and store ADBMS application data.\n\n1.     DOL Needs to Strengthen Controls to Protect Its Information\n\nCurrent Year Findings and Recommendations\n\na. Risk Assessment\n\nDuring our FY 2000 audit, we found that the MSHA Risk Analysis Report is dated February 17,\n1989. The analysis is outdated and MSHA Management is currently in the process of performing\na risk assessment. In the absence of an up-to-date risk assessment, identification of current\nthreats and vulnerabilities, appropriate decisions for mitigation and subsequent adjustments to the\nsecurity controls and policies may not be performed on a timely basis for critical system resources.\nTherefore, effective security controls may not be implemented to prevent or detect unauthorized\nor inappropriate access to MSHA\xe2\x80\x99s systems and information.\n\n\n\n\n                                                48\n\x0cThe following criteria were used in reporting this finding:\n\n       \xe2\x80\xa2       The DOL Computer Security Handbook (CSHB)\n       \xe2\x80\xa2       The Federal Managers\xe2\x80\x99 Financial Integrity Act of 1982\n       \xe2\x80\xa2       NIST Special Publication 800-18, Guide for Developing Security Plans for\n               Information Technology Systems\n       \xe2\x80\xa2       OMB Circular A-130, Appendix III, Security of Federal Automated Information\n               Resources\n\nRecommendation:\n\nThe following prior year recommendation to the Chief Information Officer and the Assistant\nSecretaries pertains to this finding:\n\n\xe2\x80\xa2      ensure that entitywide security programs are developed, documented and implemented\n       for all departmental systems. The programs should include an up-to-date security\n       plan, risk assessments, security management structure, access monitoring, etc.\n\nManagement\xe2\x80\x99s Response:\n\nMSHA completed a risk assessment of the Agency\xe2\x80\x99s major applications, including the\nAssessments Database Management System (ADBMS), in November 2000. This Risk\nAssessment was conducted using Risk Watch, the model adopted by the Department. The draft\nVulnerability Report was submitted to the Office of the Chief Information Officer on December\n12, 2000. The identification of MSHA\xe2\x80\x99s current risks and threats in the Vulnerability Report will\nbe used to establish more effective information security policies during the implementation of\nMSHA\xe2\x80\x99s integrated security program beginning in January 2001.\n\nOIG\xe2\x80\x99s Conclusion:\n\nThis recommendation is resolved and open pending our review of the MSHA policy and\nprocedures for performing risk assessments and our review of the completed risk assessment for\nADBMS during the FY 2001 audit.\n\nb. Entitywide Security Program Plan\n\nDuring our FY 2000 audit, we found that the Department of Labor\xe2\x80\x99s Mine Safety and Health\nAdministration\xe2\x80\x99s (MSHA) GSS Security Plan has not been fully completed to be in compliance\nwith the CIO\'s Computer Security Handbook. In addition, the MA for ADBMS is under\ndevelopment and due to be finalized in FY 2001. Without a formal documented security plan,\nemployees may perform inadequate or improper procedures that could, in turn, compromise the\nsecurity control structure of the organization or sensitive data residing within MSHA\xe2\x80\x99s systems.\nIn addition, policies, procedures, and guidelines presented within the security plan should be\n\n\n                                                 49\n\x0cupdated periodically or they may not adequately reflect recent modifications within the current\nworking environment of an organization or may not fully support management\xe2\x80\x99s overall business\nand security objectives.\n\nThe following criteria were used in reporting this finding:\n\n       \xe2\x80\xa2       The DOL Computer Security Handbook (CSHB)\n       \xe2\x80\xa2       NIST Special Publication 800-18, Guide for Developing Security Plans for\n               Information Technology Systems\n       \xe2\x80\xa2       OMB Circular A-130, Appendix III, Security of Federal Automated Information\n               Resources\n       \xe2\x80\xa2       OMB Bulletin 90-08\n\nRecommendation:\n\nThe following prior year recommendation to the Chief Information Officer and the Assistant\nSecretaries pertains to this finding:\n\n\xe2\x80\xa2      ensure that entitywide security programs are developed, documented and implemented\n       for all departmental systems. The programs should include an up-to-date security\n       plan, risk assessments, security management structure, access monitoring, etc.\n\nManagement\xe2\x80\x99s Response:\n\nMSHA completed a General Support System Security Plan and a Major Application System\nSecurity Plan, which includes an ADBMS System Security Plan, on November 15, 2000. The\nplans were submitted to the Office of the Chief Information Officer. These plans are in\ncompliance with the CIO\'s Computer Security Handbook.\n\nOIG\xe2\x80\x99s Conclusion:\n\nThis recommendation is resolved and open. Closure is dependent upon our review of the MSHA\nGeneral Support System Security Plan and ADBMS System Security Plan during the FY 2001\naudit.\n\nc. Security Management Structure and Security Responsibilities\n\nDuring our FY 2000 audit, we found the Department of Labor\xe2\x80\x99s Mine Safety and Health\nAdministration (MSHA) does not have an Information Security organization identified in its\nsecurity plans and the information security structure has not been defined in the organization chart\ndated June 1, 2000.\n\n\n\n\n                                                 50\n\x0cIn addition, there is no central system security office that could:\n\n\xe2\x80\xa2      facilitate risk assessments,\n\xe2\x80\xa2      coordinate the development and distribution of security policies and procedures,\n\xe2\x80\xa2      routinely monitor compliance with these policies,\n\xe2\x80\xa2      provide security awareness training among system users, and\n\xe2\x80\xa2      provide reports to senior management concerning policy and control evaluation results.\n\nWithout a well designed entitywide security program plan, security controls may be inadequate;\nresponsibilities may be unclear, misunderstood; and controls may be inconsistently applied. The\neffectiveness of a security program is affected by the way in which responsibilities for overseeing\nits implementation are assigned. Generally, such responsibility is assigned to a central system\nsecurity program office that reports directly to the Chief Information Officer.\n\nThe following criteria were used in reporting this finding:\n\n       \xe2\x80\xa2       OMB Circular A-130, Appendix III, Security of Federal Automated Information\n               Resources\n       \xe2\x80\xa2       NIST 800-12: An Introduction to Computer Security\n       \xe2\x80\xa2       NIST Special Publication 800-14, Generally Accepted Principles and Practices\n               for Securing Information Technology Systems\n\nRecommendation:\n\nThe following prior year recommendation to the Chief Information Officer and the Assistant\nSecretaries pertains to this finding:\n\n\xe2\x80\xa2      ensure that entitywide security programs are developed, documented and implemented\n       for all departmental systems. The programs should include an up-to-date security\n       plan, risk assessments, security management structure, and access monitoring, etc.\n\nManagement\xe2\x80\x99s Response:\n\nMSHA has assigned entity-wide security officer duties to a position that reports directly to the\nDeputy Director, Program Evaluation and Information Resources. In consultation with contract\nsecurity specialists, the Agency completed a security program implementation work plan on\nDecember 11, 2000. Work on security program implementation commences on January 2, 2000.\nOne of the first steps in the work plan is the development of a formal security management\nstructure within MSHA. This structure will identify reporting relationships and authorities at the\nfunctional, program, and individual levels.\n\n\n\n\n                                                  51\n\x0cOIG\xe2\x80\x99s Conclusion:\n\nThis recommendation is resolved and open. Closure is dependent upon our review of the MSHA\nsecurity structure and security plan during the FY 2001 audit.\n\nd. Security Procedures\n\nDuring our FY 2000 audit, we found that procedures for adding, modifying and removing user\naccess privileges from the MSHA Assessment Data Base Management System (ADBMS) are not\nclearly defined and documented in the MSHA draft security Plan, dated April 14, 2000.\nEmployees are deleted from production by Database/LAN Administrator without proper\nmanagement authorization.\n\nIf ownership responsibilities are not clearly assigned, access/removal authorizations may be left to\npersonnel who are not in the best position to determine users\xe2\x80\x99 access needs. Such personnel are\nlikely to authorize overly broad access in an attempt to ensure that all users can access the\nresources they need. This defeats the purpose of access controls and, depending on the sensitivity\nof the resources involved, can unnecessarily provide opportunities for fraud, sabotage, and\ninappropriate disclosures. The effectiveness of a security program is affected by the way in which\nresponsibilities for overseeing its implementation are assigned.\n\nThe following criteria were used in reporting this finding:\n\n       \xe2\x80\xa2       NIST 800-12: An Introduction to Computer Security\n       \xe2\x80\xa2       OMB Circular A-130, Appendix III, Security of Federal Automated Information\n               Resources\n\nRecommendation:\n\nThe following prior year recommendation to the Chief Information Officer and the Assistant\nSecretaries pertains to this finding:\n\n\xe2\x80\xa2      ensure that agencies are in compliance with the computer security handbook and that\n       the agency SSPs (for its GSS and MAs) contain sufficient policies and procedures\n       governing the authorization, modification, removal, monitoring of access based upon\n       the concept of "least privileged," and the emergency access. A re-certification should\n       be conducted of all IDS on the system and the business need documented.\n\nIn addition, IDS that have been granted access to production programs and data (outside of the\napplication) should be restricted from this level of access.\n\n\n\n\n                                                 52\n\x0cManagement\xe2\x80\x99s Response:\n\nUser access privileges are being established through use of a Unified Access Authorization (UAA)\nform scheduled to be finalized and fully implemented by the end of January. User access levels\nand system-related information will be incorporated for MSHA\xe2\x80\x99s server-based platforms including\nthe MSHA Standardized Information System (MSIS), Teradata, Exchange and Citrix.\nInformation from the existing Defense Enterprise Computing Center (DECC) System Access\nAuthorization Request (SAAR) forms, along with information from the UAA form, will be\nutilized to populate and update an Intranet application designed to provide this data to system\nmanagers and security personnel. A valid user list that contains only authorized employees will be\navailable and periodically reviewed by program managers and supervisors. The procedure will\nidentify those with access rights to the ADBMS as well as all other user groups throughout\nMSHA.\n\nThe overall responsibility for the UAA form and procedures will be lodged with the Arlington IT\nsecurity office being established in PEIR headquarters as described in c. Security Management\nStructure and Security Responsibilities. In addition, oversight and compliance guidelines for the\nprocess of authorizing system users will be included in a new IT Security chapter being drafted for\ninclusion in the Agency\xe2\x80\x99s Accountability Program. This is scheduled to be completed in FY 2001.\n\nOIG\xe2\x80\x99s Conclusion:\n\nThis recommendation is resolved and open. Closure is dependent upon our review of the new\nMSHA procedures and policies for security during the FY 2001 audit.\n\ne. Security-Related Personnel Policies\n\nDuring our FY 2000 audit, we found that effective security related personnel policies were not\nimplemented for MSHA. The following examples illustrate:\n\n\xe2\x80\xa2      Initial security training for new hires is not being conducted.\n\xe2\x80\xa2      There is no documentation (sign-in sheet, date of last security awareness training, etc.)\n       from the last MSHA periodic security awareness training program.\n\xe2\x80\xa2      Employee background checks were not performed in a timely manner on employees hired\n       in sensitive positions. In addition, periodic reinvestigation were not performed for these\n       employees.\n\xe2\x80\xa2      Contractors given access to \xe2\x80\x9chigh risk public trust\xe2\x80\x9d data such as MSHA programming\n       production data are not required to have background investigations.\n\xe2\x80\xa2      Employees and contractors with access to \xe2\x80\x9chigh risk public trust\xe2\x80\x9d information were not\n       required to complete confidentiality agreements. Confidentiality agreements were not\n       required for the users of ADBMS critical system. ADBMS contains \xe2\x80\x9cPrivacy Act\xe2\x80\x9d\n       information.\n\xe2\x80\xa2      Employee training was not tracked and monitored to help ensure that employee expertise\n\n\n                                                53\n\x0c       was maintained at the appropriate level.\n\xe2\x80\xa2      Procedures were not established to guide MSHA members completing exit tasks for\n       departing employees. For example, there were no procedures stating when or how to\n       notify the Network Administrator to remove a user ID for a departed MSHA employee.\n\xe2\x80\xa2      Checklists for departing employees from MSHA, includes Form DL 1-107 (Separation\n       Clearance), were not always completed. In addition, the forms did not cover the removal\n       of user IDS from all sensitive applications.\n\xe2\x80\xa2      Position descriptions/job descriptions are out dated or missing from employee files.\n\nIn the absence of adequate security-related personnel policies in place, an entity may risk the\nfollowing: hiring unqualified individuals, leaving terminated personnel access to create\nunauthorized transactions, perform intentional errors, create a denial of service, and potentially\ndisclose sensitive data, allowing staff expertise to decline and inappropriate segregation of duties.\nOverall, the lack of security-related personnel policies could lead to adverse personnel activities\nthat could compromise the security over ADBMS.\n\nThe following criterion was used in reporting this finding:\n\n       \xe2\x80\xa2       NIST Special Publication 800-14, Generally Accepted Principles and Practices\n               for Securing Information Technology Systems\n\nRecommendation:\n\nThe following prior year recommendations to the Chief Information Officer and the Assistant\nSecretaries pertains to this finding:\n\n\xe2\x80\xa2      ensure that computer security plans include procedures for proper termination of\n       systems access of former employees, and those procedures are implemented,\n\xe2\x80\xa2      ensure that all applicable employees and contractors receive the required training and\n       maintain the appropriate documentation (e.g., lists of employees as of the training\n       course date, attendance sheet of employees taking the course, topics, agendas,\n       handouts, etc., provided during the program), and\n\xe2\x80\xa2      a background check should be conducted for all Government employees and\n       contractor management personnel with high levels of system access.\n\nManagement\xe2\x80\x99s Response:\n\nVarious personnel and contractor management practices have been implemented to address the\nconditions identified in this item.\n\nWith regard to security training, significant improvements have been made in the implementation\nand enforcement of MSHA\xe2\x80\x99s policies. Program managers have been instructed to ensure that new\nemployees receive security training prior to receiving network or system access. Annual refresher\n\n\n                                                 54\n\x0ctraining is required for all other MSHA employees. This training is being given and documented\nat all locations, with lists of persons taking the training provided to the MSHA Security Officer in\nArlington.\n\nThe Office of Assessments has created a tracking system for all ADBMS employee training, both\ninformal hands-on training and formal training. The Office of Assessments is developing a policy\nto ensure compliance with documenting and tracking ADBMS training.\n\nThe security requirements for contractors working on MSHA systems have been reviewed and\nappropriate personnel security requirements have been included in each statement of work. In\naddition, confidentiality agreements are being developed for signature by MSHA employees as\nwell as contractor staff. This will require employee union notification prior to implementation.\n\nSince the ADBMS is considered a \xe2\x80\x9chigh risk public trust\xe2\x80\x9d system, the Human Resource Division\n(HRD) in Arlington will determine which employees are required to have background investigations in\norder to use and access ADBMS data. HRD will determine which positions require periodic re-\ninvestigations as well as the frequency of the re-investigations.\n\nMSHA\xe2\x80\x99s Human Resources Division is developing a policy and procedures for exiting MSHA\nemployees. This policy will mandate the use of the Separation Clearance form (DOL Form 1-107 -\nRev. April 1997). This revision includes a section (1-t) to list system names from which to remove the\nemployee. The previous revision dated 1987 did not have the 1-t section. MSHA exiting procedures\nwill include instructions for each employee\xe2\x80\x99s supervisor to provide a copy of the completed DOL1-107\nto the appropriate LAN Administrator.\n\n(Note: The auditors may not have a copy of the most recent revision to DOL1-107. See copy of the\nDOL1-107 (Rev. April 1997) Separation Clearance form.)\n\nThe Office of Assessments is in the process of reviewing and, where appropriate, revising the position\ndescriptions for their staff.\n\nOIG\xe2\x80\x99s Conclusion:\n\nThese recommendations are resolved and open. Closure is dependent upon our review of the\nnew MSHA procedures and policies for personnel security and the corrective action identified\nduring the FY 2001 audit.\n\nf. Authorization of Access\n\nDuring our FY 2000 audit, we found that procedures for authorizing access to systems resources\nwithin MSHA were weak. Specifically:\n\n\xe2\x80\xa2      Access to the ADBMS Application is not always authorized and documented. Though\n\n\n                                                  55\n\x0c       policies and procedures exist, we found that they were not part of the MSHA security\n       plan. In a test of 25 employees with access to the ADBMS application, we found only 12\n       had System Authorization Access Request (SAAR) forms on file.\n\xe2\x80\xa2      The design and use of the SAAR form can be enhanced. Specifically, the form does not\n       indicate the authorized access privileges of the user.\n\nWithout clearly defined policies, procedures and assignment for security administration, security\nadministrators may not fully be aware of management\xe2\x80\x99s security objectives and may not be\nconsistently performing the necessary procedures required to provide effective control.\nSpecifically,\n\n\xe2\x80\xa2      Undocumented or out-of-date access request forms may compromise the integrity of the\n       system by granting access that is not consistent with management\xe2\x80\x99s security objectives,\n       authorized intent, or user job responsibilities.\n\xe2\x80\xa2      Inadequate controls over the monitoring and removal of obsolete or inactive IDS from the\n       system increases the risk of unauthorized access to system resources.\n\xe2\x80\xa2      Ineffective controls surrounding the granting and periodic monitoring of user access\n       privileges increases the risk of unauthorized modification (intentional or accidental) to\n       information stored and/or processed by the entity.\n\nUser accountability within the system is diminished without adequate controls over the\nmaintenance of access request forms.\n\nThe following criteria were used in reporting this finding:\n\n       \xe2\x80\xa2       System Authorization Access Request (SAAR) Memorandum from the Director of\n               Program Evaluation and Information Resources\n       \xe2\x80\xa2       NIST 800-12: An Introduction to Computer Security\n       \xe2\x80\xa2       NIST Special Publication 800-14, Generally Accepted Principles and Practices\n               for Securing Information Technology Systems\n\nRecommendation:\n\nThe following prior year recommendation to the Chief Information Officer and the Assistant\nSecretaries pertains to this finding:\n\n\xe2\x80\xa2      ensure that agencies are in compliance with the computer security handbook and that\n       the agency SSPs (for its GSS and MAs) contain sufficient policies and procedures\n       governing the authorization, modification, removal, monitoring of access based upon\n       the concept of "least privileged," and the emergency access. A recertification should\n       be conducted of all IDS on the system and the business need documented. In addition,\n       IDS that have been granted access to production programs and data (outside of the\n       application) should be restricted from this level of access.\n\n\n                                                 56\n\x0cManagement\xe2\x80\x99s Response:\n\nA review of the ADBMS user group was conducted. SAAR forms were prepared and authorized\nfor all system users to ensure that only valid, authorized users have access to the system. Users\nwithout the requisite authorizations no longer have access to the system.\n\nAdditional information related to the Unified Access Authorization form and SAAR form is\noutlined under e. Security-Related Personnel Policies.\n\nOIG\xe2\x80\x99s Conclusion:\n\nThis recommendation is resolved and open. Closure is dependent upon our review of the new\nMSHA procedures and policies for security-related personnel policies and additional testing of the\nimplementation of the authorization forms during the FY 2001 audit.\n\ng. Access Monitoring\n\nDuring our FY 2000 audit of MSHA, we found that owners do not periodically review access\nauthorization listings to determine whether access remains appropriate for the GSS and MA. In\naddition, changes to security profiles on both the Bull and NT systems are not periodically\nreviewed by management. As a result, some users access to the system is inappropriate.\nSpecifically:\n\n\xe2\x80\xa2      We found 4 of 16 users tested, had access that did not appear appropriate based upon\n       their job functions (e.g., mail clerks, file clerks, etc.).\n\xe2\x80\xa2      We found 3 of 6 application programmers had production level access.\n\xe2\x80\xa2      We found 1 of the 16 selected users in Wilkes-Barre Assessment Center had been assigned\n       two Logical ID\xe2\x80\x99s.\n\nAccess that is not based upon a business need, using the concept of "least privilege," increases the\nrisk of users performing functions that are inappropriate based upon their job responsibilities.\n\nThe following criteria were used in reporting this finding:\n\n       \xe2\x80\xa2       System Authorization Access Request (SAAR) Memorandum from the Director of\n               Program Evaluation and Information Resources\n       \xe2\x80\xa2       NIST Special Publication 800-14, Generally Accepted Principles and Practices\n               for Securing Information Technology Systems\n       \xe2\x80\xa2       OMB Circular A-130, Appendix III, Security of Federal Automated Information\n               Resources\n\nRecommendation:\n\n\n                                                 57\n\x0cThe following prior year recommendation to the Chief Information Officer and the Assistant\nSecretaries pertains to this finding:\n\n\xe2\x80\xa2      ensure that agencies are in compliance with the computer security handbook and that\n       the agency SSPs (for its GSS and MAs) contain sufficient policies and procedures\n       governing the authorization, modification, removal, monitoring of access based upon\n       the concept of "least privileged," and the emergency access. A recertification should\n       be conducted of all IDS on the system and the business need documented. In addition,\n       IDS that have been granted access to production programs and data (outside of the\n       application) should be restricted from this level of access.\n\nManagement\xe2\x80\x99s Response:\n\nThe Assessments program office recently issued new, secure IDS and passwords for all the\nADBMS users.\n\nMSHA is in the process of developing and implementing a Unified Access Authorization form and\nprocess, as previously discussed under d. Security Procedures. Once this system is in place, it\nwill be possible to produce reports listing active, authorized users for each system and the levels\nof access authorized for those users. These reports will be provided on a periodic basis to the\nsystem managers for their review and certification. This process will be a component of an\noverall IT security program and will be managed through the Arlington IT security office.\n\nOIG\xe2\x80\x99s Conclusion:\n\nThis recommendation is resolved and open. Closure is dependent upon our review of the\ncorrective actions taken and the new MSHA procedures and policies for security during the FY\n2001 audit.\n\nh. Remote Access\n\nDuring our FY 2000 audit, we found that dial-in access of remote users to the MSHA\xe2\x80\x99s LAN\nlocated in Denver is not documented or monitored. Specifically, we found all 25 users tested\nwere part of the \xe2\x80\x9cremote\xe2\x80\x9d group. This access allows users to dial-in remotely via Point-to-Point\nProtocol (PPP). In addition, controls were not in place to monitor remote dial-in. Inadequate\nmonitoring of dial-in accounts increases the risk that unauthorized individuals or malicious\nintruders may not be detected and could gain access to systems resources.\n\nThe following criteria were used in reporting this finding:\n\n       \xe2\x80\xa2       System Authorization Access Request (SAAR) Memorandum from the Director of\n               Program Evaluation and Information Resources\n       \xe2\x80\xa2       NIST 800-12: An Introduction to Computer Security\n\n\n                                                 58\n\x0c       \xe2\x80\xa2       NIST Special Publication 800-18, Guide for Developing Security Plans for\n               Information Technology Systems\n\nRecommendation:\n\nThe following prior year recommendation to the Chief Information Officer and the Assistant\nSecretaries pertains to this finding:\n\n\xe2\x80\xa2      ensure that agencies are in compliance with the computer security handbook and that\n       the agency SSPs (for its GSS and MAs) contain sufficient policies and procedures\n       governing the authorization, modification, removal, monitoring of access based upon\n       the concept of "least privileged," and the emergency access. A recertification should\n       be conducted of all IDS on the system and the business need documented. In addition,\n       IDS that have been granted access to production programs and data (outside of the\n       application) should be restricted from this level of access.\n\n\nManagement\xe2\x80\x99s Response:\n\nDial-in authorization and monitoring procedures are being reviewed. It is not MSHA\xe2\x80\x99s policy to\ninstall dial-in software on any machine, desktop or laptop, without proper authorization.\nAuthorization will be granted and periodically reviewed through the Unified Access Authorization\nform and procedures as discussed in response to d. Security Procedures and e. Security-Related\nPersonnel Policies .\n\nOIG\xe2\x80\x99s Conclusion:\n\nThis recommendation is resolved and open. Closure is dependent upon our review of the new\nMSHA procedures and policies for security during the FY 2001 audit.\n\ni. Physical Access\n\nDuring our FY 2000 audit, we found access to the IRC is not adequately controlled. Specifically,\nwe found that the doors leading to the LAN Servers that connect to the ADBMS application\nresiding in San Antonio, as well as the printing area are not locked. Without effective physical\ncontrols over sensitive areas, the risk exists that unauthorized individuals may do physical harm or\ninstall devices that may impact the integrity, availability, or confidentiality of information stored\nand/or processed by the entity.\n\nThe following criteria were used in reporting this finding:\n\n       \xe2\x80\xa2       NIST 800-12: An Introduction to Computer Security\n       \xe2\x80\xa2       NIST Special Publication 800-18, Guide for Developing Security Plans for\n\n\n                                                 59\n\x0c              Information Technology Systems\n\nRecommendation:\n\nThe following prior year recommendation to the Chief Information Officer and the Assistant\nSecretaries pertains to this finding:\n\n\xe2\x80\xa2      ensure that the agency is in compliance with the computer security handbook and that\n       agency SSPs (for its GSS and MAs) include appropriate controls for the protection of\n       physical environment in which system hardware, backups, telecommunication\n       equipment, and other sensitive components reside.\n\nManagement\xe2\x80\x99s Response:\n\nThe issue of insufficient physical controls on the IRC computer room has been addressed. A\nmemorandum from the center chief to the chief of the IRC Systems Operation and\nCommunication Division was issued on November 9, 2000, with instructions to ensure that the\ncomputer room is secured at all times, and to document and report any breaches of the security\ncontrols.\n\nOIG\xe2\x80\x99s Conclusion:\n\nThis recommendation is resolved and open. Closure is dependent upon our review of the new\nMSHA procedures and policies for physical access and our review of the physical controls\nsurrounding MSHA\xe2\x80\x99s environment during the FY 2001 audit.\n\nj. Logical Controls to Prevent or Detect Unauthorized Access\n\nDuring our FY 2000 audit, we found that logical access to the LAN and Bull operating system are\ninadequate. Specifically we found that:\n\n\xe2\x80\xa2      LAN system security settings do not require passwords to be:\n       \xe2\x80\xa2      controlled by the assigned user and not subject to disclosure (users are sharing\n              passwords in order to check other users\xe2\x80\x99 mail);\n       \xe2\x80\xa2      changed periodically;\n       \xe2\x80\xa2      at least six alphanumeric characters in length; and\n       \xe2\x80\xa2      prohibited from reuse (e.g., maintaining a password history).\n\xe2\x80\xa2      Bull system security settings do not require passwords to be:\n       \xe2\x80\xa2      unique for specific individuals \xe2\x80\x93 Group user IDs\xe2\x80\x99IDSd passwords are established\n              (e.g., shared);\n       \xe2\x80\xa2      controlled by the assigned user and not subject to disclosure - through the use of\n              group user ID\xe2\x80\x99s and passwords;\n       \xe2\x80\xa2      changed periodically;\n\n\n                                               60\n\x0c       \xe2\x80\xa2       at least six alphanumeric characters in length; and\n       \xe2\x80\xa2       prohibited from reuse (e.g., maintaining a password history).\n\xe2\x80\xa2      Security parameters over the LAN and the Bull do not prohibit the use of generic user\n       IDS and passwords.\n\xe2\x80\xa2      Logical IDS used to gain access to Transaction Processing (TP) can be improved.\n       Specifically:\n       \xe2\x80\xa2       TP does not require a password; and\n       \xe2\x80\xa2       Logical IDs are arranged in sequence (i.e., AR01, AR02, AR03, etc.).\n\xe2\x80\xa2      Computer terminals are not automatically logged off after a period of inactivity on the\n       LAN.\n\xe2\x80\xa2      The use of screen saver passwords are not required.\n\nInadequate controls over the establishment of password parameters may lead to the risk of\npasswords being easily guessed allowing an unauthorized user the ability to gain access to systems\nresources. Lack of controls to automatically logged off sessions after a period of inactivity\nincreases the risk that unauthorized users could gain access to the LAN via users who are\nlegitimately logged into the LAN.\n\nThe following criteria were used in reporting this finding:\n\n       \xe2\x80\xa2       NIST 800-12: An Introduction to Computer Security\n       \xe2\x80\xa2       NIST Special Publication 800-18, Guide for Developing Security Plans for\n               Information Technology Systems\n\nRecommendation:\n\nThe following prior year recommendation to the Chief Information Officer and the Assistant\nSecretaries pertains to this finding:\n\n\xe2\x80\xa2      ensure that the Agency SSPs include specific technical standards (security settings,\n       critical system configuration, etc.) for each general support system and major\n       application.\n\nManagement\xe2\x80\x99s Response:\n\nEffective December18, 2000, MSHA LAN security settings were modified to enforce the\nfollowing:\n\n\xe2\x80\xa2      Passwords must be 8 to 14 characters long;\n\xe2\x80\xa2      Passwords must contain at least one item from 3 of the following:\n             \xe2\x80\xa2      Uppercase Letters\n             \xe2\x80\xa2      Lowercase letters\n             \xe2\x80\xa2      Numbers\n\n\n                                                 61\n\x0c              \xe2\x80\xa2      Special characters\n\xe2\x80\xa2      Passwords expire every 90 days;\n\xe2\x80\xa2      Passwords must be unique 5 times before the same password can be used again;\n\xe2\x80\xa2      Passwords cannot be changed for at least 30 days after the last change; and,\n\xe2\x80\xa2      User accounts are locked out for 60 minutes after 5 unsuccessful logon attempts (wrong\n       password).\n\nHoneywell mainframe based systems are scheduled for migration to a new platform through the\nMSHA Standardized Information System. The new system will adhere to the following\nstandards:\n\n\xe2\x80\xa2      Individual user identifications;\n\xe2\x80\xa2      Passwords will be changed every 90 days;\n\xe2\x80\xa2      Passwords will be at least 8 characters in length in a combination of upper and lower case\n       characters and numbers;\n\xe2\x80\xa2      Prohibited password reuse for 6 generations; and\n\xe2\x80\xa2      User access limited to the minimum level needed in performance of duties.\n\nIn order to improve security access requirements at DECC related to the transaction processing\n(TP) system, testing and implementation has been completed requiring the entry of an individual\npassword accompanying the LID, adding an increased level of security to the on-line system. This\neffectively disrupts the sequential pattern of the lids. Further changes to existing applications for\nunique LIDS are not feasible at this time.\n\nWhereas the use of generic user IDS and passwords is permitted on the Bull system, it is not\npermitted on MSHA\xe2\x80\x99s LAN. It is not the policy on the LAN to automatically log off a user after\na period of inactivity, nor does MSHA plan to institute such a policy. However, on machines\nusing the desktop core load, a screen saver is initiated after 15 minutes of inactivity on the LAN.\nUsers must re-enter their passwords to resume the network session. Nonetheless, LAN users\nhave been instructed to log off and shut down their computers when they leave for the day. On\nthe Bull system, users are logged off of the system after a relatively short period of inactivity.\n\nOIG\xe2\x80\x99s Conclusion:\n\nThis recommendation is resolved and open. Closure is dependent upon our review of the new\nMSHA procedures and policies for logical access and our testing of the new security settings\nduring the FY 2001 audit.\n\nk. Encryption\n\nDuring our FY 2000 audit, we found that encryption tools have not been implemented to\nadequately protect the transmission of information between the MSHA LAN and the Bull\nmainframe. Lack of strict controls governing logical controls over telecommunications access\n\n\n                                                 62\n\x0cincreases the risk of unauthorized persons jeopardizing the confidentiality, integrity, and\navailability of information. By not encrypting information as it travels over the network, MSHA\nfaces the risk that information (including information required to be protected under the privacy\nact) could be obtained and/or reviewed by unauthorized users through the use of sniffers or other\ntechnologies.\n\nThe following criteria were used in reporting this finding:\n\n       S        NIST Special Publication 800-18, Guide for Developing Security Plans for\n               Information Technology Systems\n       S        OMB Circular A-130, Appendix III, Security of Federal Automated Information\n               Resources\n\nRecommendation:\n\nThe following prior year recommendations to the Chief Information Officer and the Assistant\nSecretaries pertains to this finding:\n\n\xe2\x80\xa2      ensure that the agency are in compliance with the computer security handbook and\n       that agency SSPs (for its GSS and MAs) include appropriate controls for the protection\n       of physical environment in which system hardware, backups, telecommunication\n       equipment, and other sensitive components reside, and\n\xe2\x80\xa2      ensure that the SSPs include specific technical standards (security settings, critical\n       system configuration, etc.) for each general support system and major application.\n\nManagement\xe2\x80\x99s Response:\n\nMSHA is in the process of investigating the software and hardware upgrades necessary to\nimplement router-to-router encryption throughout MSHA. This would provide for data transfer\nsecurity but would not provide origin to destination encryption necessary to ensure complete data\ntransfer security. As part of the initiative to upgrade network infrastructure security, including the\nrequirement to fully encrypt Privacy Act data, various technologies, including Virtual Private\nNetwork (VPN), are being evaluated for implementation in MSHA within the context of the new\nMSIS environment.\n\nOIG\xe2\x80\x99s Conclusion:\n\nThese recommendations are resolved and open. Closure is dependent upon our review of the\nsecurity measures being implemented in the new MSIS environment during the FY 2001 audit.\n\nl. Monitoring Policies\n\nDuring our FY 2000 audit, we found that management does not have a process in place to\n\n\n                                                 63\n\x0cadequately address security monitoring for both the Bull and LAN systems. Specifically:\n\n       S       Policies do not define what constitutes violation and escalation procedures.\n       S       Security managers do not investigate security violations.\n       S       Violations are not requested from the DECC, summarized and reported to senior\n               management.\n       S       Management does not review activities involving access to and modifications of\n               sensitive or critical files on the Bull.\n       S       Access control policies and techniques are not modified when violations and\n               related risk assessments indicate that such changes are appropriate.\n\nWithout adequate monitoring controls, unauthorized attempts at gaining access to system\nresources may remain undetected and may eventually lead to an unauthorized user gaining access\nto the system. Without auditing access sensitive resources, management may not be aware of\nunauthorized attempts or modifications. This may expose the entity to the risk of an individual\ngaining unauthorized access to sensitive files that significantly impact the integrity and availability\nof the system.\n\nThe following criteria were used in reporting this finding:\n\n       \xe2\x80\xa2       System Authorization Access Request (SAAR) Memorandum from the Director of\n               Program Evaluation and Information Resources\n       \xe2\x80\xa2       NIST Special Publication 800-18, Guide for Developing Security Plans for\n               Information Technology Systems\n\nRecommendation:\n\nThe following prior year recommendation to the Chief Information Officer and the Assistant\nSecretaries pertains to this finding:\n\n\xe2\x80\xa2      ensure that the agency is in compliance with the computer security handbook and that\n       agency SSPs (for its GSS and MAs) include appropriate policies and procedures for\n       the monitoring of inappropriate or unusual activity occurring on the system. Policies\n       and procedures should include, but are not limited to management\'s determination of\n       what constitutes a violation of the policy, the frequency of reviews, reporting and\n       escalation processes, and maintenance of documentation (manual or automated) for\n       audit trail purposes, etc.\n\nManagement\xe2\x80\x99s Response:\n\nWith the availability of the TP log file and associated reports previously described in\n j. Logical Controls to Prevent or Detect Unauthorized Access, management once again has the\nability to review update types, frequency, transaction initiator and transaction success/failure for\n\n\n                                                  64\n\x0cthe most sensitive and critical of MSHA\xe2\x80\x99s files. However, there are additional violation reports\nthat are currently not available to MSHA from the Bull system. DECC has been notified of this\nsecurity deficiency and is exploring the possibility of providing these reports for MSHA\xe2\x80\x99s critical\nand supporting files.\n\nMSHA is planning the evaluation and selection of network monitor/security software. It is\nMSHA\xe2\x80\x99s intention to implement a product that is capable of identifying and logging unauthorized\naccess from either a LAN connection or dial-in source.\n\nAs part of the MSHA security program implementation plan, MSHA will develop policy and\nprocedures for incident handling and response. A section of the policy will include the creation of\na Computer Security Incident Response Team (CSIRT) within MSHA. The MSHA CSIRT will\nbe part of an overall Department of Labor CSIRT directed by the OCIO. The policies and\nprocedures will be in place by September 2001.\n\nOIG\xe2\x80\x99s Conclusion:\n\nThis recommendation is resolved and open. Closure is dependent upon our review of the\nimplementation of the MSHA security program during the FY 2001 audit.\n\nm. Accreditation Policies\n\nDuring our FY 2000 audit, we found that ADBMS, a critical application, and the GSS used to\nsupport the application, does not have written authorization or accreditation statements from the\nprogram or function managers whose missions are supported by MSHA. Systems or applications\nthat have not proceeded through proper accreditation run the risk of not having completed\nmandatory security tests, evaluations, or risk analyses. This may lead to the oversight of critical\nprocessing or security controls that could, in turn, compromise important production data files or\nprograms within the system.\n\nThe following criteria were used in reporting this finding:\n\n       \xe2\x80\xa2       OMB Circular A-130, Appendix III, Security of Federal Automated Information\n               Resources\n       \xe2\x80\xa2       The Federal Managers\xe2\x80\x99 Financial Integrity Act of 1982\n       \xe2\x80\xa2       NIST Special Publication 800-18, Guide for Developing Security Plans for\n               Information Technology Systems\n\nRecommendation:\n\nThe following prior year recommendation to the Chief Information Officer and the Assistant\nSecretaries pertains to this finding:\n\n\n\n                                                 65\n\x0c\xe2\x80\xa2      ensure that the agency is in compliance with the security handbook by verifying that\n       all financially significant applications support systems have been properly accredited\n       and that independent functional reviews are conducted at least every 3 years.\n\nManagement\xe2\x80\x99s Response:\n\nMSHA submitted security plans to the OCIO in December 2000 for the General Support System\nand 6 Major Applications including the Assessments ADBMS. MSHA completed a risk\nassessment of the Agency\xe2\x80\x99s major applications, including the Assessments Database Management\nSystem (ADBMS), in November 2000. This Risk Assessment was conducted using Risk Watch,\nthe model adopted by the Department. The draft Vulnerability Report was submitted to the\nOffice of the Chief Information Officer on December 12, 2000. The identification of MSHA\xe2\x80\x99s\ncurrent risks and threats in the Vulnerability Report will be used to produce an Authorization to\nProcess document for the ABDMS. However, as the Major Applications are moved to the\nCommon Platform as part of the MSHA Standardized Information System (MSIS) project, a\ncertification and accreditation process for the GSS and the MSIS is scheduled to begin in October\nof 2001.\n\nOIG\xe2\x80\x99s Conclusion:\n\nThis recommendation is resolved and open. Closure is dependent upon the certification and\naccreditation of MSHA\xe2\x80\x99s MAs and our review of the MSIS process for certification and\naccreditation during the FY 2002 audit.\n\n\n2.     DOL Needs to Fully Implement a Systems Development Life Cycle Methodology\n\nCurrent Year Findings and Recommendations\n\na. Application Change Procedures\n\nDuring our FY 2000 audit, we found that application changes to the database are logged;\nhowever, the information is generated in an unreadable format and, therefore, is not reviewed.\nThe Database Manager does not have an effective utility to translate the before and after images\nin a readable format. Updates to transactions cannot be traced to the original change.\n\nThe following criterion was used in reporting this finding:\n\n       \xe2\x80\xa2       NIST 800-12: An Introduction to Computer Security\n\nRecommendation:\n\nThe following prior year recommendation to the Chief Information Officer and the Assistant\n\n\n                                                66\n\x0cSecretaries pertains to this finding:\n\n\xe2\x80\xa2       ensure that the agency is in compliance with DOL\'s SDLC Manual and the process is\n        followed by all DOL and contractor personnel who are developing, acquiring, or\n        managing systems or making enhancements to existing systems.\n\nManagement\xe2\x80\x99s Response:\n\nThe transaction processing log file and related programs that run on the Bull system were\ntemporarily unusable following the migration from DMIV TP to TP8. The log files have been\nmodified and are now fully functional. The reports generated from the programs log transaction\nactivities as they occur thereby providing a method for tracking database changes. The DBA\nreviews the reports in order to identify any unusual activity. The DBA notifies the SDM division\nchief of any unusual activity.\n\nOIG\xe2\x80\x99s Conclusion:\n\nThis recommendation is resolved and open. Closure is dependent upon our review of the logs\nand the procedures for reviewing the activity logs during the FY 2001 audit.\n\nb. Change Control Policies And Procedures\n\nDuring our FY 2000 audit, we found several weaknesses in MSHA\'s change control process.\nSpecifically:\n\n\xe2\x80\xa2       Change request forms are not appropriately documented or authorized. Of the 17 change\n        request forms tested, only 12 could be obtained. In addition, 1 of the 12 did not appear to\n        be appropriately authorized.\n\xe2\x80\xa2       Software changes are logged by fiscal year but information associated with the various\n        stages of a change history (i.e., request, development, test, user acceptance, final approval,\n        migration, etc.) is not being tracked or captured in an effective manner.\n\xe2\x80\xa2       Test plan standards are not documented that include a comprehensive set of test\n        transactions and data used in testing new changes.\n\xe2\x80\xa2       System and/or user documentation is not always updated for software, hardware,\n        operating personnel, and system users when a new or modified system is implemented.\n\xe2\x80\xa2       Library management software is not used to:\n\n        \xe2\x80\xa2       produce audit trails of program changes;\n        \xe2\x80\xa2       maintain program version numbers;\n        \xe2\x80\xa2       record and report program changes;\n        \xe2\x80\xa2       maintain creation/date information for production modules; and\n        \xe2\x80\xa2       maintain copies of previous versions, and control concurrent updates.\n\n\n\n                                                 67\n\x0cWithout strong controls over the application change management process, changes to the system\nmay:\n\n\xe2\x80\xa2      not meet user requirements\n\xe2\x80\xa2      not be adequately tested\n\xe2\x80\xa2      not be appropriately authorized\n\xe2\x80\xa2      be associated with higher costs\n\xe2\x80\xa2      not adequately address security concerns\n\nControls over the modification of application software programs and the movement of programs\nand data among libraries decreases the risk of unauthorized program and data changes. Without\nthe appropriate controls, improper changes could be incorporated in the program, causing\nprocessing irregularities, hampering further system development at a future time or causing\nsecurity features to become inoperable.\n\nThe following criterion was used in reporting this finding:\n\n       \xe2\x80\xa2       NIST Special Publication 800-18, Guide for Developing Security Plans for\n               Information Technology Systems\n\nRecommendation:\n\nThe following prior year recommendation to the Chief Information Officer and the Assistant\nSecretaries pertains to this finding:\n\n\xe2\x80\xa2      ensure that the agency is in compliance with DOL\'s SDLC Manual and the process is\n       followed by all DOL and contractor personnel who are developing, acquiring, or\n       managing systems or making enhancements to existing systems.\n\nManagement\xe2\x80\x99s Response:\n\nMSHA developed and implemented System Change Management Guidelines in June. These\nguidelines covered change request review, development standards, testing standards, version\ncontrol, release control, user acceptance, documentation update, user training, and\nimplementation management.\n\nAt this time we do not plan to implement library management software to control the existing\nlegacy systems. However, a Configuration Management Plan is being developed that will expand\nupon the change management procedures and will apply to all applications and systems within the\nAgency\xe2\x80\x99s Information Resource Center. For the legacy applications, a work order system has\nbeen developed that contains, among other things, a description of the requested change, the\nname of the approving official, and the SDM branch and programmer responsible for the change.\nThe status of each change request is tracked from the start of the work through testing, user\n\n\n                                                68\n\x0capproval, and final implementation. Reports from this system provide audit trails of each\nrequested change on each application. Version control numbering, where appropriate, is instituted\nand a version description document (VDD) will be prepared for each version release.\n\nChange control of system and user documentation will be managed through use of the Rational\nClear Case tool. The Rational software tools were selected for use on the MSHA Standardized\nInformation System (MSIS) and will document source code changes and version control, as well\nas track previous versions and concurrent updates.\n\nOIG\xe2\x80\x99s Conclusion:\n\nThis recommendation is resolved and open. Closure is dependent upon our review of the new\nMSIS policies and procedures for change control during the FY 2001 audit.\n\n3.     DOL Needs to Complete and Fully Test Its Plan(s) for Maintaining Continuity of\n       Operations\n\nCurrent Year Findings and Recommendations\n\na. Service Continuity\n\nDuring our FY 2000 audit, we found that MSHA does not have current contracts and agreements\nestablished for alternate data processing and telecommunications facilities (hotsite, coldsite or\nmobile vendors, agreements with other agencies to utilize their excess capacity). Lack of\nalternate processing agreements increase the likelihood of management not being able to recover\nor timely recover its operations in the event of an extended service interruption.\n\nThe following criteria were used in reporting this finding:\n\n       \xe2\x80\xa2       OMB Circular A-130, Appendix III, Security of Federal Automated Information\n               Resources\n       \xe2\x80\xa2       NIST Special Publication 800-18, Guide for Developing Security Plans for\n               Information Technology Systems\n       \xe2\x80\xa2       FIPS Pub. No. 87, Guidelines for ADP Contingency Planning\n\nRecommendation:\n\nThe following prior year recommendation to the Chief Information Officer and the Assistant\nSecretaries pertains to this finding:\n\n\xe2\x80\xa2      ensure that the agency is in compliance with the computer security handbook by\n       ensuring each agency develops the required contingency plan. In addition, agencies\n       should ensure that: arrangements have been made for an alternate processing facility;\n\n\n                                                 69\n\x0c       plans are stored at the off-site storage facility; plans include sufficient guidelines for\n       developing roles, responsibilities and recovery instructions, training primary and back-\n       up personnel, and frequency of updates, periodic tests, etc.\n\nManagement\xe2\x80\x99s Response:\n\nMSHA completed a risk analysis of the General Support System (LAN/WAN) and the Major\nMSHA Applications in November. The Vulnerability Reports have been submitted to the DOL\nOCIO for review.\n\nAs part of the MSHA Security Program Plan, MSHA will develop a contingency plan for the\nMSHA LAN/WAN and all major applications beginning the second quarter of FY 2001. MSHA\ndeveloped a Security Program Work Plan that includes the purpose, objectives and deliverables\nfor a Contingency Plan. One of the deliverables is a plan to test the contingency plan.\n\nOIG\xe2\x80\x99s Conclusion:\n\nThis recommendation is resolved and open. Closure is dependent upon our review of the new\nMSHA Security Program Plan and the implementation of the Contingency Plan during the FY\n2001 audit.\n\nb. Business Continuity Plan\n\nDuring our FY 2000 audit, two weaknesses were identified in MSHA\'s ability to provide\nuninterrupted service in support of its mission. Specifically:\n\n\xe2\x80\xa2      The Defense Enterprise Computing Center (DECC) has a contingency plan, however, the\n       plan has never been tested.\n\xe2\x80\xa2      The Mine Safety and Health Administration \xe2\x80\x9cBusiness Continuity and Contingency Plan\n       (BCCP),\xe2\x80\x9d dated September 1999 is too narrow in scope (addresses Y2K scenarios) and\n       does not sufficiently address all critical requirements for a disaster recovery plan.\n\nWithout a tested contingency plan, management may not be aware of the plans\xe2\x80\x99 effectiveness or\nweaknesses that may negatively impact an entity\xe2\x80\x99s ability to recover in the event of an extended\nservice interruption.\n\nThe following criteria were used in reporting this finding:\n\n       \xe2\x80\xa2       OMB Circular A-130, Appendix III, Security of Federal Automated Information\n               Resources\n       \xe2\x80\xa2       NIST Special Publication 800-18, Guide for Developing Security Plans for\n               Information Technology Systems\n       \xe2\x80\xa2       FIPS Pub. No. 87, Guidelines for ADP Contingency Planning\n\n\n                                                 70\n\x0cRecommendation:\n\nThe following prior year recommendation to the Chief Information Officer and the Assistant\nSecretaries pertains to this finding:\n\n\xe2\x80\xa2      ensure that the agency is in compliance with the computer security handbook by\n       ensuring each agency develops the required contingency plan. In addition, agencies\n       should ensure that: arrangements have been made for an alternate processing facility;\n       plans are stored at the off-site storage facility; plans include sufficient guidelines for\n       developing roles, responsibilities and recovery instructions, training primary and back-\n       up personnel, and frequency of updates, periodic tests, etc.\n\n\nManagement\xe2\x80\x99s Response:\n\nMSHA completed a risk analysis of the General Support System (LAN/WAN) and the Major\nMSHA Applications in November. The Vulnerability Reports have been submitted to the DOL\nOCIO for review.\n\nAs part of the MSHA Security Program Plan, MSHA will develop a contingency plan for the\nMSHA LAN/WAN and all major applications beginning the second quarter of FY 2001. MSHA\ndeveloped a Security Program Work Plan that includes the purpose, objectives and deliverables\nfor a Contingency Plan. One of the deliverables is a plan to test the Contingency plan.\n\nOIG\xe2\x80\x99s Conclusion:\n\nThis recommendation is resolved and open. Closure is dependent upon our review of the new\nMSHA Security Program Plan and the implementation of the Contingency Plan during the FY\n2001 audit.\n\nCurrent Year Management Letter Comments\n\na. Segregation of Duties\n\nDuring our FY 2000 audit we found the duties currently performed by computer operations and\napplication programming are not appropriately segregated. Specifically, MSHA\xe2\x80\x99s Production\nControl function responsible for running production jobs reports directly to the Manager of\nSystem Design and Management Division and not to the Systems Operation and Communication\nDivision. Duties that are inappropriately separated lead to the risk that a single individual may\nadversely impact the availability, confidentiality and integrity of the system by being in a position\nto override/by-pass key controls established by management.\n\n\n\n                                                 71\n\x0cThe following criteria were used in reporting this finding:\n\n       \xe2\x80\xa2       NIST Special Publication 800-18, Guide for Developing Security Plans for\n               Information Technology Systems\n       \xe2\x80\xa2       NIST 800-12: An Introduction to Computer Security\n\nRecommendation:\n\nThe following prior year recommendation to the Chief Information Officer and the Assistant\nSecretaries pertains to this finding:\n\n\xe2\x80\xa2      ensure that MSHA\xe2\x80\x99s SSP is in compliance with the CIO\xe2\x80\x99s Computer Security\n       Handbook and clearly define roles and responsibilities of its staff members in\n       accordance with the least privileged concept and that duties performed by its employees\n       do not allow the circumvention of management\xe2\x80\x99s intended controls.\n\n\nManagement\xe2\x80\x99s Response:\n\nThe Production Control staff has been placed under the Systems Operations and Communications\nDivision and report to the Manager of that division. See PEIR organization chart below.\n\n\n\n\n                                                 72\n\x0c                                MSHA Organization Chart\n\n\nIn file \xe2\x80\x9cFINAL 2000 CIO Report Graphic3.wpd\n\n\n\n\nOIG\xe2\x80\x99s Conclusion:\n\nThis recommendation is resolved and open. Closure is dependent upon our review of the new\nMSHA Security Program Plan and structure during the FY 2001 audit.\n\n\n\n\n                                            73\n\x0c         OFFICE OF THE ASSISTANT SECRETARY FOR ADMINISTRATION\n                        AND MANAGEMENT (OASAM)\n\nWe tested general controls and security over EDP systems of the OASAM as they pertain to the\nfollowing critical financial application.\n\n\xe2\x80\xa2      Purchase Request Information System (PRISM)\n\nIssues reported by management as being closed during the period under review were re-tested\nusing GAO\xe2\x80\x99s Federal Information System Controls Audit Manual (FISCAM). The OIG\'s IT\nAudit Rotation schedule did not include any new testing to be performed as part of the FY 2000\nFinancial Statement Audit.\n\n1.     DOL Needs to Strengthen Controls to Protect Its Information\n\nStatus of Prior Year Findings and Recommendations\n\nRisk Assessments\n\nDuring our FY 1999 audit (OIG Report No. 12-00-003-13-001), we found that the Office of\nBusiness System Services (OBSS) did not have a completed/approved risk assessments that\nconsiders data sensitivity and integrity, the range of risks to the entity\xe2\x80\x99s systems and data, and\nresource classifications for the PRISM application. We made the following recommendation to\nthe Chief Information Officer and the Assistant Secretaries:\n\n\xe2\x80\xa2      ensure that entitywide security programs are developed, documented and implemented\n       for all departmental systems. The programs should include an up-to-date security\n       plan, risk assessment, security management structure, and access monitoring.\n\nDuring our FY 2000 audit, we found that a risk assessment for PRISM is in progress.\nManagement stated that 60 percent of questionnaires fielded for vulnerability assessing have been\nreceived and answers imported in Risk Watch. This recommendation is resolved and open.\nClosure is dependent on our review of the completed risk assessment.\n\nManagement\xe2\x80\x99s Response:\n\nThe PRISM risk assessment, through use of Risk Watch software, was formulated during August-\nSeptember, 2000. A draft report was submitted to the OCIO October 3, 2000. Resulting\ncomments made by the OCIO were considered, and appropriately incorporated into the risk\nassessment. A second draft report was submitted to the OCIO on December 11, 2000, for final\nreview and management approval.\n\n\n\n\n                                                 74\n\x0cOIG\xe2\x80\x99s Conclusion:\n\nThis recommendation remains resolved and open pending our review of the completed risk\nassessments during the FY 2001 audit.\n\nEntitywide Security Program Plan\n\nDuring our FY 1999 audit (OIG Report No. 12-00-003-13-001), we found that OASAM\xe2\x80\x99s\nsecurity plan can be enhanced to further meet federally established criteria. We made the\nfollowing recommendation to the Chief Information Officer and the Assistant Secretaries:\n\n\xe2\x80\xa2      ensure that computer security plans are developed and implemented for all\n       departmental systems.\n\nDuring our FY 2000 audit, we found that management is currently updating all of the System\nSecurity Plans in accordance with the Department of Labor\xe2\x80\x99s revised Computer Security\nHandbook. This recommendation is resolved and open. Closure is dependent on our review of\nthe completed security plan.\n\nManagement\xe2\x80\x99s Response:\n\nThe PRISM System Security Plan, using a newly revised template provided by OCIO, was\nsubmitted to the OCIO December 6, 2000. OCIO comments, received December 28, 2000, will\nbe incorporated into the plan.\n\nOIG\xe2\x80\x99s Conclusion:\n\nThis recommendation remains resolved and open pending our review of the completed PRISM\nSystem Security Plan during the FY 2001 audit.\n\nIncident Response Capabilities\n\nDuring our FY 1999 audit (OIG Report No. 12-00-003-13-001), we found that OASAM\xe2\x80\x99s\nreporting of incident responses could be improved. We made the following recommendation to\nthe Chief Information Officer and the Assistant Secretaries:\n\n\xe2\x80\xa2      ensure that departmental and agency policies exist and are implemented to address\n       computer security incident response.\n\nDuring our FY 2000 audit, we found that OASAM incident response procedures have been revised\nand addressed in the Computer Security Handbook. This recommendation is resolved and open.\nClosure is dependent on our review of the agency\xe2\x80\x99s implementation of incident response procedures\nduring FY 2001.\n\n\n                                                75\n\x0cManagement\xe2\x80\x99s Response:\n\nNo additional comments are provided by OASAM. PRISM follows the operating guidelines\ncontained in Appendix D, \xe2\x80\x9cDetailed Technical Incident Response Procedures,\xe2\x80\x9d of the DOL\nComputer Security Handbook.\n\nOIG\xe2\x80\x99s Conclusion:\n\nThis recommendation remains resolved and open pending our review of the agency\xe2\x80\x99s\nimplementation of incident response procedures during the FY 2001 audit.\n\nPersonnel Security Controls\n\nDuring our FY 1999 audit (OIG Report No. 12-00-003-13-001), we found that OBSS has not\nimplemented effective security controls related to personnel policies and procedures. We made\nthe following recommendation to the Chief Information Officer and the Assistant Secretaries:\n\n\xe2\x80\xa2      a background check to be conducted for all Government and contractor management\n       personnel with high levels of system access.\n\nDuring our FY 2000 audit, management stated the following after our field work was completed:\n\n\xe2\x80\xa2      The physical, operation and system security controls are in progress along with OBSS\n       Major Application and General System Support Plans.\n\xe2\x80\xa2      All OBSS job descriptions and related duties have been reviewed and updated. A training\n       form was developed to document and track all employee training and professional\n       development. Training forms have been distributed to personnel for any updates.\n\xe2\x80\xa2      In accordance with DOL Computer Security Handbook, a security awareness and\n       education program must be included in all system security plans. All OBSS personnel will\n       receive awareness training biannually.\n\nThis recommendation is resolved and open. Closure is dependent on our review of the agency\xe2\x80\x99s\ncompleted system security plan, and management\xe2\x80\x99s submission of the document as part of the FY\n2001 audit.\n\nManagement\xe2\x80\x99s Response:\n\nOBSS position descriptions address assignment of computer security and other related system\nadministration duties to senior computer specialist staff within OBSS.\n\nNearly 75 percent of OASAM\xe2\x80\x99s information technology staff, including the three (3) computer\nspecialists within OBSS, participated in the all-day DOL Computer Security Awareness Day held\n\n\n                                              76\n\x0con October 25, 2000. Attendance records for the various programs and keynote speaker sessions\nare available from the OCIO.\n\n\nOIG\xe2\x80\x99s Conclusion:\n\nThis recommendation remains resolved and open pending our review of the agency\xe2\x80\x99s completed\nsystem security plan addressing personnel security and management\xe2\x80\x99s submission of the\ndocumentation of the security training during the FY 2001 audit.\n\nIndependent Review of Critical Systems\n\nDuring our FY 1999 audit (OIG Report No. 12-00-003-13-001), we found that the general\nsupport system of PRISM has not undergone an independent review or audit within the last 3\nyears. We made the following recommendation to the Chief Information Officer and the Assistant\nSecretaries:\n\n\xe2\x80\xa2      ensure that agencies are in compliance with the computer security handbook by\n       verifying that all financially significant applications and support systems have been\n       properly accredited and that independent functional reviews are conducted at least\n       every 3 years.\n\nDuring our FY 2000 audit, we found that a security review of the GSS is scheduled. This\nrecommendation remains resolved and open. Closure is dependent upon our review of the\naccreditation and independent functional review of PRISM.\n\nManagement\xe2\x80\x99s Response:\n\nThe Employee Computer Network (ECN) underwent an OIG penetration test during September\n2000. A report covering the PRISM penetration test, which generally covers the access controls\nwithin PRISM, is in draft; the final report has not yet been completed by OIG.\n\nOIG\xe2\x80\x99s Conclusion:\n\nThis recommendation remains resolved and open pending the submission of the accreditation and\nindependent functional review of PRISM to the OIG during the FY 2001 audit.\n\nAuthorizations and Monitoring of Logical Access\n\nDuring our FY 1999 audit (OIG Report No. 12-00-003-13-001), we found that policies and\nprocedures over the authorization, modification, and periodic monitoring of users (end users,\ncontractors, production support, etc.), having logical access to the PRISM environment\n(application, operating system, databases, utilities, etc.) require improvement. Specifically, the\n\n\n                                                 77\n\x0cPRISM users selected for testing did not have the appropriate access authorization forms on file.\nWe made the following recommendation to the Chief Information Officer and the Assistant\nSecretaries:\n\n\xe2\x80\xa2      ensure agencies are in compliance with the computer security handbook and that\n       agency SSPs contain sufficient policies and procedures governing the authorizing,\n       modification, removal, monitoring of access based on the concept of \xe2\x80\x9cleast privileged,\xe2\x80\x9d\n       and the emergency access. A recertification should be conducted of all IDS on the\n       system and the business need documented. In addition, IDS that have been granted\n       access to production programs and data (outside of the application) should be\n       restricted from this level of access.\n\nDuring our FY 2000 audit, we found that policies governing authorizing, modification, and\nmonitoring of PRISM users will be included in the PRISM system security plan. All PRISM\nusers, production and test, will have appropriate access forms on file.\n\nThis recommendation is resolved and open. Closure is dependent on our review of the PRISM\nSSP and the retesting of authorization forms.\n\nManagement\xe2\x80\x99s Response:\n\nOBSS maintains a file of PRISM access authorization forms in the director\xe2\x80\x99s office, and are\navailable for OIG review. On December 7, 2000, OBSS submitted a request for recertification, in\nthe form of a \xe2\x80\x9cProcurement Software Registration Form,\xe2\x80\x9d to the supervisor/manager of every\nproduction system PRISM user. Approximately 90 percent of the 68 forms have been completed\nand returned. Outstanding forms are expected in OBSS in the near future.\n\nOIG\xe2\x80\x99s Conclusion:\n\nThis recommendation remains resolved and open pending our review of the PRISM SSP and the\nretesting of authorization forms during the FY 2001 audit.\n\nPhysical Controls\n\nDuring our FY 1999 audit (OIG Report No. 12-00-003-13-001), we found that physical controls\nto prevent or detect unauthorized or inappropriate access to the ITC data center need\nimprovement. We made the following recommendation:\n\n\xe2\x80\xa2      ensure agencies are in compliance with the computer security handbook and that\n       agency SSPs include appropriate controls for the protection of the physical\n       environment in which system hardware, backups, telecommunication equipment, and\n\n\n\n\n                                                78\n\x0c       other sensitive components reside. In addition, we recommend agency SSPs include\n       specific technical standards (security settings, critical system configurations, etc.) for\n       each general support system and major application.\n\nDuring FY 2000 we noted that access to the data center can be further restricted. Specifically, we\nfound that:\n\n\xe2\x80\xa2      4 of the 20 individuals reviewed no longer have a business need to the data center and\n       their access should be revoked\n\xe2\x80\xa2      6 of 20 individuals were from the CFO\xe2\x80\x99s office and were deemed to have inappropriate\n       access to the data center based upon their job function\n\xe2\x80\xa2      3 of 20 access request forms could not be found documenting access\n\xe2\x80\xa2      9 of the 20 forms did not contain sufficient information to adequately identify the access\n       being granted.\n\xe2\x80\xa2      16 of the 20 forms did not contain adequate approvals.\n\nThis recommendation is resolved and open. Closure is dependent on our review of the\ncompleted corrective actions that prevent or detect unauthorized or inappropriate access to the\nITC data center during FY 2001 audit.\n\nManagement\xe2\x80\x99s Response:\n\nFire extinguishers are periodically serviced, with the most recent service during December 2000.\nSurveillance equipment will be considered during the computer room renovation scheduled for FY\n2002, although no regulation requiring such equipment has been discovered. The changes that\nhave been made to date regarding computer room access control are considered adequate for the\ncurrent configuration.\n\nOIG\xe2\x80\x99s Conclusion:\n\nThis recommendation remains resolved and open pending our review of the completed corrective\nactions that prevent or detect unauthorized or inappropriate access to the ITC data center during\nFY 2001 audit.\n\nPassword Parameters\n\nDuring our FY 1999 audit (OIG Report No. 12-00-003-13-001), we found that logical access\ncontrols over the PRISM application server could be improved. We made the following\nrecommendation:\n\n\xe2\x80\xa2      ensure agencies are in compliance with the computer security handbook and that\n       agency SSPs include appropriate controls for the protection of the physical\n       environment in which system hardware, backups, telecommunication equipment, and\n\n\n                                                79\n\x0c       other sensitive components reside. In addition, we recommend agency SSPs include\n       specific technical standards (security settings, critical system configurations, etc.) for\n       each general support system and major application.\n\nDuring our FY 2000 audit, we found that corrective actions are in progress. This\nrecommendation is resolved and open. Closure is dependent on our review of the completed\ncorrective actions.\n\n\nManagement\xe2\x80\x99s Response:\n\nAll corrective actions have been completed. Accounts no longer are locked out for 30 minutes;\nsuch lockout now requires intervention by the help desk managed by ITC\xe2\x80\x99s Computer Technology\nCenter. Privileged user passwords are now distributed to individual local system administrators.\nPassword aging on any server is now set to an ITC standard.\n\nOIG\xe2\x80\x99s Conclusion:\n\nThis recommendation remains resolved and open pending our review of the completed corrective\nactions during the FY 2001 audit.\n\nNT Security Settings\n\nDuring our FY 1999 audit (OIG Report No. 12-00-003-13-001), we found that security settings\nfor the PRISM NT server are not optimally configured to (1) restrict users from having more\naccess rights to system and application files then are required, and (2) to reduce the risk of\nunauthorized access to the server. In addition, the administrator account is permitted to log on to\nthe server from the network and null session access is allowed to the PRISM NT server. We\nmade the following recommendation:\n\n\xe2\x80\xa2      ensure agencies are in compliance with the computer security handbook and that\n       agency SSPs include appropriate controls for the protection of the physical\n       environment in which system hardware, backups, telecommunication equipment, and\n       other sensitive components reside. In addition, we recommend agency SSPs include\n       specific technical standards (security settings, critical system configurations, etc.) for\n       each general support system and major application.\n\nDuring our FY 2000 audit, we found that corrective actions are in progress. This\nrecommendation is resolved and open. Closure is dependent on our review of the completed\ncorrective actions.\n\n\n\n\n                                                80\n\x0cManagement\xe2\x80\x99s Response:\n\nNT and advanced user rights are now appropriately assigned to each server. Permissions for\ndirectories on the PRISM production server are now adequately restricted. User connection to\nthe PRISM server is satisfied through the use of Oracle software, and is activated only upon\nrequired database access requests. The period of inactivity has been reviewed, and users are now\nlogged off after expiration of the inactivity time. A screen saver with password has been enabled\non the PRISM server. PRISM operates in a 24/7 mode, except for late weekends to\naccommodate database unload; forced logoff is not appropriate.\n\nThe local administrator account is not permitted to logon to the server from the network; PRISM\nsystem administrators may use their network accounts to log onto the server to enable access to\nother network tools. Null sessions have been eliminated for all server access.\n\nOIG\xe2\x80\x99s Conclusion:\n\nThis recommendation remains resolved and open pending our review of the completed corrective\nactions during the FY 2001 audit.\n\n2.     DOL Needs to Fully Implement a Systems Development Life Cycle Methodology\n\nStatus of Prior Year Finding and Recommendation\n\nSystem Software\n\nDuring our FY 1999 audit (OIG Report No. 12-00-003-13-001), we found that system software\npolicies and procedures governing technical, monitoring, and configuration management controls\ncan be improved. We made the following recommendation to the Chief Information Officer and\nthe Assistant Secretaries:\n\n\xe2\x80\xa2      ensure that the SDLC manual provides adequate guidance for the monitoring of\n       access and use of system software utilities.\n\nDuring FY 2000, we found that a Configuration Control Board has been created by ITC/OCIO to\nreview all Change Requests. A comprehensive and complete System Development Life Cycle\n(SDLC) and Change Management process exist to ensure all changes to hardware and software\nare formally requested, approved and adequately tested to minimize the risk of errors and\nirregularities in the production environment. This recommendation is resolved and open.\nClosure is dependent on our review of the agency\xe2\x80\x99s policies and procedures during FY 2001.\n\n\n\n\n                                               81\n\x0cManagement\xe2\x80\x99s Response:\n\nITC manages the system change process throughout the ECN through the use of System Change\nRequests.\n\nOIG\xe2\x80\x99s Conclusion:\n\nThis recommendation remains resolved and open pending our review of the agency\xe2\x80\x99s policies\nand procedures during the FY 2001 audit.\n\n3.     DOL Needs to Complete and Fully Test Its Plan(s) for Maintaining Continuity of\n       Operations\n\nStatus of Prior Year Findings and Recommendations\n\nEmergency Response Capabilities\n\nDuring our FY 1999 audit (OIG Report No. 12-00-003-13-001), we found that emergency\nresponse policies and procedures are inadequate to ensure staff is trained in and is aware of their\nresponsibilities in preventing, mitigating, and responding to emergency situations. We made the\nfollowing recommendations to the Chief Information Officer and the Assistant Secretaries:\n\n\xe2\x80\xa2      ensure that agencies are in compliance with the computer security handbook and that\n       agency SSPs include appropriate policies and procedures for:\n       S       properly creating, securing, maintaining, and rotating backups;\n       S       emergency responses and ensure training is provided to appropriate personnel;\n\xe2\x80\xa2      ensure that adequate environmental controls are in place at DOL data center facilities;\n       and\n\xe2\x80\xa2      ensure agencies are in compliance with its SDLC manual that includes guidelines for:\n       (1) using and monitoring use of system software utilities, (2) identifying, selecting,\n       installing, and modifying system software, and (3) effective hardware maintenance,\n       problem management, and change management to assist in preventing unexpected\n       interruptions.\n\nDuring our FY 2000 audit, we found that contingency planning in accordance with the DOL\ncomputer security handbook does address response policies/procedures for all situations, and\nmandates these procedures to be part of the system security plans. In order to standardize all\nAgency response procedures, the Critical Infrastructure Protection Work Group is tasked with\ndeveloping a contingency plan template. Upon completion of this template, OBSS will update its\ncurrent contingency plan. Therefore, until the agency updates its contingency plan based on the\nnew template, these recommendations are resolved and open. Closure is dependent on our\nreview of the agency\xe2\x80\x99s completed emergency response procedures.\n\n\n\n                                                 82\n\x0cManagement\xe2\x80\x99s Response:\n\nAppendix C, \xe2\x80\x9cContingency Planning and Methodology Guide,\xe2\x80\x9d of the DOL Computer Security\nHandbook provides contingency planning policies. Development of procedures for preventing,\nmitigating and responding to emergency situations within PRISM are underway as part of\nOASAM\xe2\x80\x99s effort to formalize standard operating procedures.\n\nOIG\xe2\x80\x99s Conclusion:\n\nThese recommendations remain resolved and open pending our review of the agency\xe2\x80\x99s\ncompleted emergency response procedures during the FY 2001 audit.\n\nAlternate Data Processing Facilities\n\nDuring our FY 1999 audit (OIG Report No. 12-00-003-13-001), we found that OASAM does\nnot have arrangements for an alternate data processing and telecommunication facility (e.g.,\nHotsite). We made the following recommendation to the Chief Information Officer and the\nAssistant Secretaries:\n\n\xe2\x80\xa2      ensure agencies are in compliance with the computer security handbook by ensuring\n       each agency develops the required contingency plan. In addition, agencies should\n       ensure that: arrangements have been made for an alternate processing facility; plans\n       are stored at the off-site storage facility; plans include sufficient guidelines for\n       developing roles, responsibilities and recovery instructions, training for primary and\n       backup personnel, and frequency of updates, etc.\n\nDuring our FY 2000 audit, we found that a hotsite has been designated and Frame Relay circuits\nhave been ordered and installation has begun. This recommendation is resolved and open.\nClosure is dependent on our review of the completed corrective action plan.\n\nManagement\xe2\x80\x99s Response:\n\nOASAM is near completion of testing its hot-site facility in Kansas City. It is anticipated that the\nsite will be completed in the near future.\n\nOASAM has in place and functioning an ATM/Frame Relay. The next phase of the plan is to\ninstall and setup an Internet connection and mirrored servers to ensure adequate backup of\ninformation resources and continuity of operations.\n\nOIG\xe2\x80\x99s Conclusion:\n\nThis recommendation remains resolved and open pending our review of the agency\xe2\x80\x99s completed\nemergency response procedures during the FY 2001 audit.\n\n\n                                                 83\n\x0cPeriodically Test the Contingency Plan and Adjust it as Appropriate\n\nDuring our FY 1999 audit (OIG Report No. 12-00-003-13-001), we found that OASAM\xe2\x80\x99s\nBusiness Continuity and Contingency Plan (BCCP) was not tested during the period under\nreview. We made the following recommendation to the Chief Information Officer and the\nAssistant Secretaries:\n\n\xe2\x80\xa2      ensure agencies are in compliance with the computer security handbook by ensuring\n       each agency develops the required contingency plan. In addition, the CIO should\n       ensure that appropriate test plans (full and partial) are conducted on a periodic basis.\n\nDuring our FY 2000 audit, we found that due to the level of effort and extensive preparations\nrequired for Y2K readiness, the BCCP was not tested until after the audit period. This\nrecommendation is resolved and open. Closure is dependent on our review of the agency\xe2\x80\x99s\ncompleted BCCP test plan.\n\nManagement\xe2\x80\x99s Response:\n\nThe BCCP, the Department\xe2\x80\x99s Continuity of Operations Plan (COOP) and the evaluation\nperformed by FEMA during September 2000, and the Critical Infrastructure Protection Plan\n(CIPP) have been submitted to OIG in November 2000 for review. An update to the COOP is\nscheduled for submission to FEMA by September 1, 2001.\n\nOIG\xe2\x80\x99s Conclusion:\n\nThis recommendation remains resolved and open pending our review of the agency\xe2\x80\x99s completed\nBCCP test plan during the FY 2001 audit.\n\n\n\n\n                                               84\n\x0c        OCCUPATIONAL SAFETY AND HEALTH ADMINISTRATION (OSHA)\n\nWe tested general controls and security over EDP systems of the OSHA as they pertain to the\nfollowing critical financial application:\n\n\xe2\x80\xa2       Integrated Management Information System (IMIS)\n\nIssues reported by management as being closed during the period under review were retested\nusing GAO\xe2\x80\x99s Federal Information System Controls Audit Manual (FISCAM). The OIG\'s IT\nAudit Rotation schedule did not include any new testing to be performed as part of the FY 2000\nFinancial Statement Audit. The scope in the prior year was limited to the EDP controls that are\nthe responsibility of OSHA as they relate to the mainframe processing of IMIS. Therefore, the\nfollowing outlines the controls deemed out of scope and were not tested:\n\n\xe2\x80\xa2      Controls that are the responsibility of DOL\'s contractor, SunGard. SunGard supports and\n       maintains the mainframe operating system and physical environment used to process and\n       store IMIS application data.\n\n\xe2\x80\xa2      Controls associated with the UNIX environments running the client server portion of\n       IMIS. UNIX is the platform used to host/NCR or Front End Processor (FEP) that initially\n       processes and transmits information from the field offices tot he SunGard mainframe.\n       However, physical control weaknesses noted with the Washington D.C., UNIX\n       environment were documented and reported in this summary.\n\n1.     DOL Needs to Strengthen Controls to Protect Its Information\n\nStatus of Prior Year Findings and Recommendations\n\nSystem Accreditation\n\nDuring our FYs 1999 and 1998 audits (OIG Report No. 12-99-002-13-001 and 12-00-002-13-\n001), we found that IMIS did not have a written authorization or accreditation statement from the\nprogram or function managers whose missions are supported by OSHA. We made the following\nrecommendations to the Chief Information Officer and the Assistant Secretaries:\n\n\xe2\x80\xa2      agencies are in compliance with the security handbook by verifying that all financially\n       significant applications support systems have been properly accredited, and that\n       independent functional reviews are conducted at least every 3 years, and\n\xe2\x80\xa2      all departmental systems are accredited by the program management.\n\n\n\n\n                                               85\n\x0cDuring our FY 2000 audit, we found that OSHA management was working with the OCIO to\nreexamine the security of the IMIS to verify proper accreditation. These recommendations are\nresolved and open. Closure is dependent on our review of the completed accreditation of the\nIMIS system.\n\n\nManagement\xe2\x80\x99s Response:\n\nOSHA has adopted the DOL Systems Development and Life Cycle Management Manual\n(SDLCM) methodology. The DOL SDLCM has been distributed to Federal and Contractor staff\nfor immediate use on the IMIS Re-Write task.\n\nHowever, from a closer examination of Federal and DOL requirements documents, including\nOMB Circular A-130, the DOL Systems Development and Life Cycle Management Manual\n(Version 2.0), and FIPS Pub 102, OSHA has determined that establishing a program for\ncertification and accreditation is a major effort that will require policies and procedures, allocation\nof a variety of roles and responsibilities, a prioritized listing, based on mission needs, of those\napplications that require certification and accreditation, development of an organization structure\nto handle certifications and accreditations, staffing, training, and support. These activities will\ntake a significant amount of time, human resources, and funding to complete.\n\nOSHA plans to begin work with the OCIO in early January 2001, to address:\n\n\xe2\x80\xa2      Whether the OCIO plans to establish a DOL program for certification and accreditation,\n       or if individual agencies are expected to establish their own programs.\n\xe2\x80\xa2      What time frame is projected? What resources will be available to assist agencies?\n\xe2\x80\xa2      What interim processes and procedures agencies can use for legacy systems, such as the\n       IMIS, to satisfy certification and accreditation requirements while a certification and\n       accreditation program is being built?\n\nOIG\xe2\x80\x99s Conclusion:\n\nThese recommendations remain resolved and open pending our review of OSHA\xe2\x80\x99s corrective\nactions during the FY 2001 audit.\n\nEntitywide Security Program Plan\n\nDuring our FY 1997 and FY 1999 audits (OIG Report No. 12-98-002-13-001 and 12-00-002-13-\n001), we found that OSHA does not have a formally approved entitywide security plan. We made\nthe following recommendations to the Chief Information Officer and the Assistant Secretaries:\n\n\xe2\x80\xa2      ensure computer security plans are developed and implemented for all departmental\n       systems, and\n\n\n                                                  86\n\x0c\xe2\x80\xa2      entitywide security programs are developed, documented and implemented for all\n       departmental systems. The programs should include an up-to-date security plan, risk\n       assessments, security management structure, and access monitoring.\n\nDuring our FY 2000 audit, we found that OSHA had received feedback and comments on the\nIMIS Draft 1998 Security Plan from the OCIO. OSHA is reviewing these comments. OSHA will\nwork with the OCIO to update the IMIS security plan in accordance with the DOL Computer\nSecurity Handbook, version 1.0. These recommendations are resolved and open. Closure is\ndependent upon our review of the completed IMIS security plan.\n\nManagement\xe2\x80\x99s Response:\n\nIndependent risk assessments of the IMIS were completed in November 2000. In compliance\nwith OMB Circular A-130 and DOL Computer Security Handbook requirements, OSHA is\nupdating the IMIS System Security Plan (SSP) to reflect not only the risk assessments findings,\nbut also to address SOF2 issues. The target completion date for the IMIS SSP is January 5,\n2001.\n\nOIG\xe2\x80\x99s Conclusion:\n\nThese recommendations remain resolved and open pending our review of the updated IMIS\nSystem Security Plan during the FY 2001 audit.\n\nPersonnel Policies and Procedures\n\nDuring our FY 1997 and FY 1999 audits (OIG Report No. 12-98-002-13-001 and 12-00-002-13-\n001), we found that OSHA management information security controls related to personnel\npolicies and procedures are inadequate. We made the following recommendations to the Chief\nInformation Officer and the Assistant Secretaries:\n\n\xe2\x80\xa2      ensure that a background check should be conducted for all Government employees\n       and contractor management personnel with high levels of system access,\n\xe2\x80\xa2      ensure computer security plans include procedures for proper termination of systems\n       access of former employees, and those procedures are implemented, and\n\xe2\x80\xa2      ensure that all applicable employees and contractors receive the required training and\n       maintain the appropriate documentation (e.g., lists of employees as of the training\n       course date, attendance sheet of employees taking the course, topics, agendas,\n       handouts, etc., provided during the program).\n\nDuring our FY 2000 audit, we found that OSHA was working with the OCIO to update the IMIS\nsecurity plan to include personnel policies and procedures to correct OSHA\xe2\x80\x99s deficiencies in\n\n\n\n\n                                               87\n\x0caccordance with the DOL Computer Security Handbook, version 1.0. These recommendations\nare resolved and open. Closure is dependent upon our review of the completed IMIS security\nplan.\n\nManagement\xe2\x80\x99s Response:\n\nSecurity, confidentiality and non-disclosure requirements were written into the recent Task Order\nfor the IMIS Security Plan Update. This practice is expected to be expanded to other IMIS-\nrelated Task Orders.\n\nOSHA has begun exploring, in concert with other DOL agencies, the development and use of\nconfidentiality/security agreements for employees and contractors. Efforts in this area are\nexpected to continue throughout FY 2001. Closure may require consultation with the unions.\n\nA Separation Clearance form and process has been developed and implemented for contract\npersonnel to address ID badges, hardware and software, keys, and deletion of user IDs. A\nSeparation Clearance process exists for Federal staff. During the 2nd Quarter of 2001, OSHA will\nevaluate this process for possible improvements to ensure timely notification and deletion of user\nIDs.\n\nThe Directorate of Information Technology (DIT) initiated dialog with OCIO staff, OSHA\xe2\x80\x99s\nOffice of Personnel Management, and OASAM to obtain guidance and documentation on\nimplementing a background screening program for Federal and contract personnel. By the end of\nthe 3rd Quarter of 2001, OSHA expects to have identified staff requiring background screening\nand the level of screening required, and to begin scheduling the screening.\n\nOSHA was a full participant on the committee to plan the annual DOL Computer Security\nAwareness Day, including user and technical training sessions. Sign-in logs provided a\nmechanism to record the participation of OSHA federal and contract staff.\n\nA computer security awareness and training plan will be developed and included in the Agency\xe2\x80\x99s\nCyber Security Program Plan scheduled for submission to the OCIO by December 29, 2000.\nAwareness and training are expected to be ongoing. Documentation and monitoring of training\nwill be addressed in the Plan.\n\nInformal dialog on the need to have position descriptions revised to reflect IMIS security\nresponsibilities has been initiated with OSHA\xe2\x80\x99s Office of Personnel Management. Closure is\nexpected to depend on OSHA working with OASAM and the OCIO.\n\nOIG\xe2\x80\x99s Conclusion:\n\nThese recommendations remain resolved and open pending our review of IMIS documentation\nand corrective actions during the FY 2001 audit.\n\n\n                                                88\n\x0cRisk Assessments\n\nDuring our FYs 1998 and 1999 audits (OIG Report No. 12-99-002-13-001 and 12-00-002-13-\n001), we found that OSHA does not have a completed/approved risk assessment that considers\ndata sensitivity and integrity, the range of risks to the entity\xe2\x80\x99s systems and data, and resource\nclassifications. We made the following recommendation to the Chief Information Officer and the\nAssistant Secretaries:\n\n\xe2\x80\xa2      ensure that entitywide security programs are developed, documented and implemented\n       for all departmental systems. The programs should include an up-to-date security\n       plan, risk assessments, security management structure, and access monitoring.\n\nDuring our FY 2000 audit, we found that OSHA purchased the Risk Watch Automated Risk\nAnalysis software tool in FY 1999 and staff attended training. OSHA staff has been a part of the\nCritical Infrastructure Protection workgroup that has contributed to the Vulnerability Assessment\nguide and the DOL Computer Security Handbook. This recommendation is resolved and open.\nClosure is dependent upon our review of the completed risk assessment.\n\nManagement\xe2\x80\x99s Response:\n\nOSHA procured the services of Troy Systems to conduct an independent RiskWatch quantitative\nrisk assessment and a qualitative risk assessment of the IMIS. Troy submitted final reports to\nOSHA on November 28, 2000. Copies of the reports have been submitted to the OCIO for\nreview.\n\nOIG\xe2\x80\x99s Conclusion:\n\nThis recommendation remains resolved and open pending our review of the completed risk\nassessment during the FY 2001 audit.\n\nAuthorization and Monitoring of User Logical Access\n\nDuring our FYs 1998 and 1999 audits (OIG Report No. 12-99-002-13-001 and 12-00-002-13-\n001), we found that controls over the authorizing and periodic monitoring of users having logical\naccess (including dial-in) to OSHA\xe2\x80\x99s Integrated Management Information System (IMIS\nHost/Micro Systems) are inadequate. We made the following recommendation to the Chief\nInformation Officer and the Assistant Secretaries:\n\n\xe2\x80\xa2      ensure agencies are in compliance with the computer security handbook and that the\n       agency SSPs (for its GSS and MAs) contain sufficient polices and procedures\n       governing the authorization, modification, removal, monitoring of access based upon\n       the concept of "least privileged," and the emergency access. A recertification should\n       be conducted of all IDS on the system and the business need documented. In addition,\n\n\n                                               89\n\x0c       IDS that have been granted access to production programs and data (outside of the\n       application) should be restricted from this level of access.\n\nDuring our FY 2000 audit, we found that OSHA was in the process of reexamining IMIS user\nIDS for accuracy and completeness and we will make the appropriate changes. OSHA\xe2\x80\x99s final\nresolution will be in compliance with the DOL Computer Security handbook, version 1.0. OSHA\nwill work very closely with the OCIO to set up procedures, guidelines, and oversight for\nproviding the list of authorized users and their authorized access level. Management is reviewing\nits procedures on authorizing access and should have a corrective action plan to correct the\ndeficiencies during the 1st quarter of FY 2001. This recommendation is resolved and open.\nClosure is dependent upon our review of the completed corrective action plan.\n\nManagement\xe2\x80\x99s Response:\n\nFederal and contract staffs working on the IMIS Re-Write have been tasked to address the SOF 6\nweaknesses. In the interim, OSHA plans to develop and/or update formal IMIS Host/Micro\nSystems\xe2\x80\x99 policies and procedures to cover the authorization, modification, deletion/termination,\nand periodic re-certification of user access and assignment of access, by the 3rd Quarter of FY\n2001.\n\nOIG\xe2\x80\x99s Conclusion:\n\nThis recommendation remains resolved and open pending our review of the corrective actions\nduring the FY 2001 audit.\n\nAuthorization and Monitoring of User Physical Access\n\nDuring our FY 1999 audit (OIG Report No. 12-00-002-13-001), we found that controls over the\nauthorizing and periodic monitoring of users having physical access to OSHA Communication\nCenter can be improved. We made the following recommendation:\n\n\xe2\x80\xa2      ensure agencies are in compliance with the computer security handbook and that\n       agency SSPs (for its GSS and MAs) include appropriate controls for the protection of\n       physical environment in which system hardware, backups, telecommunication\n       equipment, and other sensitive components reside. In addition, we recommend agency\n       SSPs include specific technical standards (security settings, critical system\n       configuration, etc.) for each general support system and major application.\n\nDuring our FY 2000 audit, we found that OSHA was in the processes of establishing and\nimplementing a standard key access form for requesting card key access and developing and\nmaintaining an OSHA Communication Center visitor log. In addition, OSHA will document and\nimplement formal physical security policies and procedures for the OSHA Communication Center\nby the end of 1st quarter FY 2001. This recommendation is resolved and open. Closure is\n\n\n                                               90\n\x0cdependent on our review of OSHA\xe2\x80\x99s physical security policies and procedure for the OSHA\nCommunication Center.\n\nManagement\xe2\x80\x99s Response:\n\nOSHA has established, published, and implemented access policy and procedures for the\nCommunications Room (FPB-S6212) to provide a standard format and process for requesting key\ncards and replacement key cards, to establish appropriate and inappropriate use policy, and to\nprovide a Log of visitors (anyone without a key card).\n\nOSHA has developed a Separation Clearance form and process for contract personnel to include\nsign-off to verify that a departing employee has returned his/her key card.\n\nOSHA has initiated dialog with the Office of Administrative Services about the need to work with\nthe Department to establish processes and procedures to ensure that OSHA has: 1) a feedback\nmechanism that provides a record of authorizations; 2) periodic, but regular, reports on who has\nwhat access, and to verify that action has been taken on requests for deletion/deactivation of\ncards. Work to make additional process improvements is expected to continue in the 2nd Quarter\nof FY 2001.\n\nOIG\xe2\x80\x99s Conclusion:\n\nThis recommendation remains resolved and open pending our review of the corrective actions\nduring the FY 2001 audit.\n\n2.     DOL Needs to Fully Implement a Systems Development Life Cycle Methodology\n\nStatus of Prior Year Findings and Recommendations\n\nSystems Development Life Cycle Methodology\n\nDuring our FY 1999 audit (OIG Report No. 12-00-002-13-001), we found that OSHA has not\nestablished a system development life cycle (SDLC) methodology meeting Federal standards and\nguidelines. We made the following recommendation:\n\n\xe2\x80\xa2      ensure the SDLC process is followed by all DOL and contractor personnel who are\n       developing, acquiring, or managing systems or making enhancements to existing\n       systems.\n\nDuring our FY 2000 audit, we found that OSHA stated it has been a full participant in the OCIO\nSDLC workshops held during May 2000. OSHA is currently reviewing the results of these\nworkshops and will be providing comments to the OCIO. Upon review and approval by all\nAgencies and the distribution of the DOL SDLC by the OCIO, OSHA will work with the OCIO\n\n\n                                              91\n\x0cand the Assistant Secretary to ensure this SDLC process is followed by all OSHA and contractor\npersonnel. This recommendation is resolved and open. Closure is dependent on our review of\nOSHA\xe2\x80\x99s completed SDLC policies and procedures.\n\nManagement\xe2\x80\x99s Response:\n\nOSHA has adopted the DOL Systems Development and Life Cycle Management Manual\nmethodology. Federal and Contractor staff, working on the IMIS Re-Write, is using the\ndocument to integrate security requirements into the life cycle process. Specifically, OSHA has a\nteam working on a recommendation for change control and configuration management, including\nevaluation of configuration management products. The primary focus of the team is on software\nthat will be used to implement changes on mainframe applications (both application and system\nsoftware), desktop applications, production file servers, Oracle applications (both application and\nsystem software), Unix applications, and network applications, including Hub and gateway\nprotocols.\n\nIn the interim, OSHA has been working to develop a more formalized approach to IMIS project\nmanagement that encompasses Application Development and Change Management. Specifically,\nMicrosoft Project, Formal Test Plan documentation and electronic mail are being used to\ndocument the change control process. However, by the end of the 2nd quarter, FY 2001, OSHA\nexpects to implement a more formal approach to sign-off and information gathering that will serve\nto document the process end-to-end.\n\nBy the end of 3rd quarter FY 2001 the Change Control and Configuration Management Team is\nexpected to present its findings and recommendations for software products that can be used to\nimplement applications software change control on the various platforms.\n\nOIG\xe2\x80\x99s Conclusion:\n\nThis recommendation remains resolved and open pending our review of the corrective actions\nduring the FY 2001 audit.\n\n3.     DOL Needs to Complete and Fully Test Its Plan(s) for Maintaining Continuity of\n       Operations\n\nStatus of Prior Year Findings and Recommendations\n\nService Continuity Plan\n\nDuring our FY 1999 audit (OIG Report No. 12-00-002-13-001), we found that an OSHA disaster\nrecovery/business continuity plan for the national office to recover local area network, NCR\n\n\n\n\n                                                92\n\x0cmicrocomputers and telecommunications in the event of an extended outage of information\nsystem processing does not exist. We made the following recommendation to the Chief\nInformation Officer and the Assistant Secretaries:\n\n\xe2\x80\xa2      ensure agencies are in compliance with the computer security handbook by ensuring\n       each agency develops the required contingency plan. In addition, agencies should\n       ensure that: arrangements have been made for an alternate processing facility; plans\n       are stored at the off-site storage facility; plans include sufficient guidelines for\n       developing roles, responsibilities and recovery instructions, training primary and back-\n       up personnel, and frequency of updates, etc.\n\nDuring FY 2000, we found that OSHA was working with the OCIO to revise and update the\nIMIS Contingency Plan in accordance with the DOL Computer Security Handbook, version 1.0.\nThis recommendation is resolved and open. Closure is dependent on our review of the\ncompleted IMIS Contingency Plan.\n\n\nManagement\xe2\x80\x99s Response:\n\nOSHA has been a full participant in the DOL Critical Infrastructure Protection Work Group\xe2\x80\x99s\n(CIPWG) effort to develop a template for contingency plans for DOL-wide use, and to search for\nCOTS products that may aid the contingency planning effort. In addition, a white paper has been\ndeveloped to address contingency plans for the IMIS NCR\xe2\x80\x99s. The due date for contingency plans\nhas not yet been determined by the OCIO. However, OSHA expects to initiate plans to update\nthe existing IMIS contingency plan during the 2nd Quarter of FY 2001. The plan is expected to be\na living document to be updated in compliance with Federal and DOL requirements.\n\nOIG\xe2\x80\x99s Conclusion:\n\nThis recommendation remains resolved and open pending our review of the approved\ncontingency plan during the FY 2001 audit.\n\n\n\n\n                                              93\n\x0c               EMPLOYMENT AND TRAINING ADMINISTRATION (ETA)\n\nWe tested general controls and security over EDP systems of the ETA as they pertain to the\nfollowing critical financial application.\n\n\xe2\x80\xa2        Unemployment Insurance System (UIS)\n\nIssues reported by management as being closed during the period under review were retested\nusing GAO\xe2\x80\x99s Federal Information System Controls Audit Manual (FISCAM). The OIG\'s IT\nAudit Rotation schedule did not include any new testing to be performed as part of the FY 2000\nFinancial Statement Audit.\n\n1.       DOL Needs to Strengthen Controls to Protect Its Information\n\nStatus of Prior Year Findings and Recommendations\n\nIndependence of Security Administration\n\nDuring our FY 1999 audit (OIG Report No. 12-00-003-13-001), we found the independence of\nthe security administration function can be strengthened. In addition, the duties currently\nperformed by the security administrator are not appropriately segregated. Specifically, the ETA\nInformation Security Officer reports directly to the ETA Chief of Operations and not to the ETA\nChief Information Officer. We made the following recommendation to the Chief Information\nOfficer and the Assistant Secretaries:\n\n     \xe2\x80\xa2   ensure that entitywide security programs are developed, documented, and implemented\n         for all departmental systems. The programs should include an up-to-date security\n         plan, risk assessment, security management structure, and access monitoring.\n\nDuring our FY 2000 audit, we found management is currently updating its security reporting\nprocedures. In addition, management stated that starting immediately, UIS will report all security\nissues pertaining to the UIS network directly to the ETA Information Security Officer, ETA Chief\nof Operation, and the ETA Chief Information Officer. This recommendation is resolved and\nopen. Closure of this issue is dependent on our review of the security reporting procedure as a\npart of our FY 2001 audit.\n\nManagement\xe2\x80\x99s Response:\n\n1.       Updated System Security Plan - Provided to the OIG with Response to Draft Report.\n2.       Updated Risk Assessment - Provided to the OIG with Response to Draft Report.\n3.       Security Management Structure - ETA will be adding additional security staff to the team,\n         which will allow ETA to implement a totally integrated security management structure and\n\n\n\n                                                94\n\x0c       will include access monitoring. New Security Management Structure will be included in\n       the updated SSP due April, 2001.\n\nOIG\xe2\x80\x99s Conclusion:\n\nThis recommendation remains resolved and open pending our review of the documentation\nprovided in response to the draft report and the other corrective actions taken during our FY\n2001 audit.\n\nSecurity Awareness\n\nDuring our FY 1999 audit (OIG Report No. 12-00-003-13-001), we found an ongoing security\nawareness program does not exist. We made the following recommendation to the Chief\nInformation Officer and the Assistant Secretaries:\n\n\xe2\x80\xa2      all applicable employees and contractors receive the required training and maintain\n       appropriate documentation (e.g., list of all employees as of the training course date,\n       attendance sheet of employees taking the course, topics, agendas, handouts, etc.,\n       provided during the program).\n\nDuring our FY 2000 audit, we found management is currently working with the Office of the\nChief Information Officer (OCIO) to develop a security awareness training program. According\nto management, a draft security awareness program is scheduled to be ready for review by the\nOCIO in the first quarter of FY 2001. This recommendation is resolved and open. Closure is\ndependent upon our review of the security awareness training program as a part of the FY 2001\naudit.\n\nManagement\xe2\x80\x99s Response:\n\n1.     ETA is currently developing a policy that states that all employees associated with ETA\n       security efforts must attend security training every year to upgrade their skills and security\n       awareness.\n\n2.     In October, 2000, ETA coordinated with the Department and presented an annual security\n       awareness training program for National office employees. This awareness training\n       program was presented on October 25, 2000.\n\nOIG\xe2\x80\x99s Conclusion:\n\nThis recommendation remains resolved and open pending our review of the corrective actions\ntaken and security awareness training program during our FY 2001 audit.\n\n\n\n\n                                                 95\n\x0cIncident Response Capabilities\n\nDuring our FY 1999 audit (OIG Report No. 12-00-003-13-001), we found that ETA\xe2\x80\x99s reporting\nof incident responses could be improved. We found the following does not exist:\n\n\xe2\x80\xa2      Written procedures for communicating and reviewing security incident reporting violations\n       for UIS system.\n\xe2\x80\xa2      A centralized e-mail address that forwards mail to UIS, ETA and CIO security staff\n       members and permit users to conveniently exchange information with the security\n       administration.\n\nWe made the following recommendation to the Chief Information Officer and the Assistant\nSecretaries:\n\n\xe2\x80\xa2      ensure agencies are in compliance with the computer security handbook and that\n       agency SSPs include appropriate policies and procedures for the monitoring of\n       inappropriate or unusual activity occurring on the system. Policies and procedures\n       should include, but are not limited to management\xe2\x80\x99s determination of what should be\n       recorded on logs and what constitutes a violation of the policy, frequency of reviews,\n       reporting and escalation processes, and maintenance of documentation (manual or\n       automated) for audit trail purposes, etc.\n\nDuring our FY 2000 review, we found ETA has updated its security reporting procedures to\ninclude:\n\n\xe2\x80\xa2      All security incidents shall be immediately reported to the following Federal staff:\n       S       UI - Chief, Division of Data Systems and Support\n       S       UI - Task Team Leader\n       S       UI - Task Order Project Officer (Will keep records on file and copies in our fire-\n               proof safe.)\n\xe2\x80\xa2      Detail information concerning the incident shall be reported to the Office of Technology\n       and Information Services (OTIS). Documented information will be given to the OTIS-\n       Senior Security Officer, OTIS-Chief, Information Officer (CIO). The CIO reports all\n       network security issues to senior level management of ETA. Both hard and electronic\n       copies of indents shall be kept on file for review. Electronic files are backed up nightly.\n\nAs of September 30, 2000, management did not provide evidence that the procedures outlined in\nthe status were added to ETA\'s security plan. This recommendation is resolved and open.\nClosure of this issue is pending the submission of the revised plan that includes the new\nprocedures and the FY 2001 audit to test the operating effectiveness of the new controls.\n\n\n\n\n                                                96\n\x0cManagement\xe2\x80\x99s Response:\n\n1.     ETA\xe2\x80\x99s revised security plan due in April, 2001 will include the document detailed incident\n       reporting policy and procedures.\n\n2.     OWS has updated the incident response section in the security plan since the OIG report.\n       However, the entire plan is undergoing further revisions as a result of a review from the\n       Department CIO\xe2\x80\x99s office (report prepared by Troy Systems). A copy of the plan will be\n       available for OIG review by December, 2000. For details on the ETA incident reporting\n       policies, refer to Appendix 1 of the System Security Plan from the Office of Technology\n       and Information Services.\n\nOIG\xe2\x80\x99s Conclusion:\n\nThis recommendation remains resolved and open pending our review of the corrective actions\ntaken during our FY 2001 audit.\n\nPhysical Controls\n\nDuring our FY 1999 audit (OIG Report No. 12-00-003-13-001), we found physical controls to\nprevent or detect unauthorized or inappropriate access to the Office of Technology and\nInformation Services (OTIS) data center need improvement. Specifically, the following\nconditions were found:\n\n\xe2\x80\xa2      Controls over the authorizing and periodic monitoring of users having physical access to\n       OTIS data center (rm. S6222 and S6228) can be improved. Our review noted that policy\n       and procedures do not exist for the authorization, modification/reissuance, deletion, and\n       periodic recertification of electronic card keys and standard keys. Specifically, the\n       following weaknesses were identified:\n\n       \xe2\x80\xa2      Access request forms for card keys (allowing access to the data center doors) are\n              not used.\n       \xe2\x80\xa2      Three of 23 individuals tested for having access to the data center were deemed to\n              have inappropriate access.\n\n\xe2\x80\xa2      Visitors are not controlled.\n       \xe2\x80\xa2       Operations personnel are not aware of routinely scheduled cleaning maintenance\n               shifts.\n\nWe made the following recommendation to the Chief Information Officer and the Assistant\nSecretaries:\n\n\n\n\n                                               97\n\x0c\xe2\x80\xa2      ensure agencies are in compliance with the computer security handbook and that\n       agency SSPs include appropriate controls for the protection of the physical\n       environment in which system hardware, backups, telecommunication equipment, and\n       other sensitive components reside. In addition, we recommend agency SSPs include\n       specific technical standards (security settings, critical system configurations, etc.) for\n       each general support system and major application.\n\nDuring our FY 2000 audit (OIG Report No. 12-00-003-13-001), we found ETA\'s Office of\nTechnology and Information Services management are updating the policies and procedures for\nthe authorization, modification/reissuance, deletion and periodic recertification of electronic card\nkeys and standard keys. This recommendation is resolved and open. Closure is dependent on\nour review of the updated policies and procedures.\n\nManagement\xe2\x80\x99s Response:\n\n1.     Access Request Forms - Request Forms are now required to have access granted to the\n       Data Center. Provided to the OIG with Response to Draft Report.\n2.     Access to the Data Center - ETA has reduced the number of employees with access to the\n       Data Center and removed access from non-essential staff.\n3.     Visitors - ETA has implemented and posted a sign-in procedure for all visitors entering the\n       Data Center.\n4.     The updated SSP due in April, 2001 will include ETA Data Center policy.\n\nOIG\xe2\x80\x99s Conclusion:\n\nThis recommendation remains resolved and open pending our review of the updated policies and\nprocedures during the FY 2001 audit.\n\nApplication Documentation\n\nDuring our FY 1999 audit (OIG Report No. 12-00-003-13-001), we found the application manual\nfor the UIS Subsystem, FMRS (Financial Management Report System) is inadequate. The\ninstructions did not provide sufficient information to be used as a user manual. Specifically, the\ndocument provided to users did not explain how to perform data processing or adequately\ndocument the application\xe2\x80\x99s functions. We made the following recommendation to the Chief\nInformation Officer and the Assistant Secretaries:\n\n\xe2\x80\xa2      the Chief Information Officer complete the \xe2\x80\x9cDepartment of Labor Computer System\n       Development Life Cycle (SDLC) Manual\xe2\x80\x9d that addresses policies and procedures for\n       documenting various aspects of the system (including user manuals) and under what\n       conditions documentation should be updated. The manual should be reviewed and\n       approved by all agency heads, issued, and followed.\n\n\n\n                                                 98\n\x0cDuring our FY 2000 audit, we found that the CIO has issued the SDLC manual. We also found\nsubsystems within OWS (UIS) follow the SDLC. Program documentation for the FMRS has\nbeen done, however, program staff did not feel the need for a user\xe2\x80\x99s manual due to a small\nnumber of users having access to the FMRS application. In addition, user turnover is low;\ntherefore, training of new users is infrequent. Thus, development of a user manual was not a\nprogram office priority and not cost effective considering the time and effort in terms of dollars.\nOWS stated it assumes the risk of not closing this issue. This recommendation is now\nunresolved. Resolution depends on the OWS developing the FMRS application user manual.\n\nManagement\xe2\x80\x99s Response:\n\nThe Division of Fiscal and Actuarial Services (DFAS) is the program area within OWS which is\nresponsible for the FMRS system. At this time, due its small number of users and turnover being\nrelatively low, the development of a user\xe2\x80\x99s manual was not considered cost effective by the\nprogram area.\n\nOIG\xe2\x80\x99s Conclusion:\n\nThis recommendation remains unresolved, resolution is dependent on the OWS developing\nalternative measures for a FMRS application user manual.\n\nAuthorization of Application Changes\n\nDuring our FY 1999 audit (OIG Report No. 12-00-003-13-001), we found software\nmodifications were not consistently approved by the Project Manager. Specifically, in four of the\nsix changes tested we found that the Project Manager had not signed-off.\n\nWe made the following recommendation to the Chief Information Officer and the Assistant\nSecretaries:\n\n\xe2\x80\xa2      ensure this SDLC process is followed by all DOL and contractor personnel who are\n       developing, acquiring, or managing new systems or making enhancements to existing\n       systems.\n\nDuring our FY 2000 audit, we found procedures have been updated. All signatures are required\nbefore any changes are accepted. The Project Manager has been informed of this procedural\nchange. However, the OIG has not received the ETA Office of Work Force Security updated\nprocedures that indicate all signatures are required before any changes. In addition, no change\nrequests were received showing compliance with the new procedures. This recommendation is\nresolved and open. Closure is dependent on our FY 2001 audit to review procedures and to test\nthe operating effectiveness of the new controls.\n\n\n\n\n                                                 99\n\x0cManagement\xe2\x80\x99s Response:\n\nOWS procedures for this finding have been completed. Provided to the OIG with Response to\nDraft Report.\n\nOIG\xe2\x80\x99s Conclusion:\n\nThis recommendation remains resolved and open pending our review and testing of the OWS\nprocedures submitted during the FY 2001 audit.\n\nDocumenting Application Changes\n\nDuring our FY 1999 audit (OIG Report No. 12-00-003-13-001), we found controls over the\ninventory of program changes could be improved. The documentation log kept by configuration\nmanagement does not provide adequate information on change requests. Specifically, we noted\nthe following conditions:\n\n\xe2\x80\xa2      The log does not detail the current status of change requests and software modifications.\n\xe2\x80\xa2      There is no correlation between the system-generated report and the document control\n       log. The application version number cannot be determined from the title/description in the\n       documentation logs.\n\xe2\x80\xa2      Neither operations nor configuration management could identify the specific operator who\n       implemented the change.\n\nWe recommended that:\n\n\xe2\x80\xa2      the Chief Information Officer complete the \xe2\x80\x9cDepartment of Labor Computer System\n       Development Life Cycle (SDLC) Manual\xe2\x80\x9d that addresses policies and procedures for\n       documenting various aspects of the system (including user manuals) and under what\n       conditions documentation should be updated. The manual should be reviewed and\n       approved by all agency heads, issued, and followed.\n\nDuring our FY 2000 audit, we found the CIO has issued the SDLC manual and OWS is working\non further enhancing this process by configuring a third party package for software configuration\nmanagement and improving its software inventory and tracking capabilities. In addition,\nmanagement is in the process of reviewing the Configuration Management procedures, and will\ndetermine whether the process of creating and packaging software changes can be better\ncontrolled. Updates to the current procedures will change as required. This recommendation is\nresolved and open. Closure is dependent on the OIG review of the corrective actions in our FY\n2001 audit.\n\n\n\n\n                                               100\n\x0cManagement\xe2\x80\x99s Response:\n\nOWS has enhanced the configuration management process by configuring and installing a third\nparty product : CCC- Harvest. Further, updates to its existing procedures have been completed\nto address these findings. Provided to the OIG with Response to Draft Report.\n\nOIG\xe2\x80\x99s Conclusion:\n\nThis recommendation remains resolved and open pending our review of the documentation\nprovided and corrective actions taken during the FY 2001 audit.\n\nStorage of Critical Information Off-Site\n\nDuring our FY 1999 audit (OIG Report No. 12-00-003-13-001), we found controls surrounding\nthe storage of UIS\xe2\x80\x99s back-up tapes and the Disaster Recover Plan can be improved. The\nfollowing weaknesses were noted:\n\n\xe2\x80\xa2      Policies and procedures for the safeguarding, monitoring and maintenance of backup tapes\n       do not exist. Specifically, the following weaknesses were noted:\n\n       \xe2\x80\xa2      ETA does not maintain inventory records of magnetic tapes stored off-site.\n       \xe2\x80\xa2      The UIS backup tapes (stored in containers) and the keys to the containers are not\n              adequately secured. For approximately one week, the UIS backup tapes were not\n              adequately safeguarded while awaiting pickup from courier. UIS backup tapes are\n              stored in locked off-site storage containers in the Network Administrator\xe2\x80\x99s cubicle,\n              however the keys for the containers are located on a shelf in an opened, unlocked\n              overhead cabinet.\n       \xe2\x80\xa2      UIS does not store the annual and quarterly backup tapes off-site.\n\n\xe2\x80\xa2      A copy of the UIS Disaster Recovery Plan (1/99) is not stored at the off-site facility.\n\nWe made the following recommendation to the Chief Information Officer and the Assistant\nSecretaries:\n\n\xe2\x80\xa2      ensure agencies are in compliance with the computer security handbook by ensuring\n       each agency develops the required contingency plan. In addition, agencies should\n       ensure that: arrangements have been made for an alternate processing facility; plans\n       are stored at the off-site storage facility; plans include sufficient guidelines for\n       developing roles, responsibilities and recovery instructions, training primary and back-\n       up personnel, and frequency of updates, etc.\n\nDuring our FY 2000 audit, we found ETA management has started corrective actions. UIS\nbackup procedures have been updated. The inventory records and safeguarding the UIS backup\n\n\n                                               101\n\x0ctapes are still in progress. In addition, management represented that a copy of the UIS \xe2\x80\x9cDisaster\nRecovery Plan\xe2\x80\x9d and the \xe2\x80\x9cUIS Security Plan\xe2\x80\x9d has been sent to the off-site storage facility. This\nrecommendation is resolved and open. Closure is dependent on the OIG review of the\ncorrective actions in our FY 2001 audit.\n\nManagement\xe2\x80\x99s Response:\n\nETA has completed the corrective action to address the findings. These policies and procedures\nwill be added to the updated SSP to be completed in April, 2001.\n\nOIG\xe2\x80\x99s Conclusion:\n\nThis recommendation remains resolved and open pending our review of the updated SSP and the\ncorrective actions taken during our FY 2001 audit.\n\nPersonnel Controls\n\nDuring our FY 1999 audit (OIG Report No. 12-00-003-13-001), we found ETA management\ninformation security controls related to personnel policies and procedures are inadequate. We\nfound the following security-related personnel policies have not been adequately implemented:\n\n\xe2\x80\xa2      Background checks and references have not been made on new hires for the period\n       covering October 1, 1998 to September 30, 1999.\n\xe2\x80\xa2      There is no formal policy for reinvestigating \xe2\x80\x9cNon-critical Sensitive\xe2\x80\x9d positions.\n\xe2\x80\xa2      Current information on employee training and professional development is not adequately\n       documented and monitored.\n\nWe made the following recommendations to the Chief Information Officer and the Assistant\nSecretaries:\n\n\xe2\x80\xa2      ensure that a background check should be conducted for all Government employees\n       and contractor management personnel with high levels of system access, and\n\xe2\x80\xa2      ensure that employees are required to attend training and maintain the appropriate\n       documentation (e.g., lists of employees as of the training course date, attendance sheet\n       of employees taking the course, topics, agendas, handouts, etc., provided during the\n       program).\n\nDuring our FY 2000 audit, we found ETA/OTIS management in the process of discussing audit\nissues with Human Resource to determine the appropriate course of action. These\nrecommendations are resolved and open. Closure is dependent upon the OIG review of the\nupdated procedures in our FY 2001 audit.\n\n\n\n\n                                               102\n\x0cManagement\xe2\x80\x99s Response:\n\nETA is currently working with OHR on developing a proper personnel background check and\nreinvestigation policy and procedure. These policies and procedures will be included in the\nupdated SSP due in April, 2001.\n\nOIG\xe2\x80\x99s Conclusion:\n\nThese recommendations remain resolved and open pending our review of the updated SSP and\nthe corrective actions taken during our FY 2001 audit.\n\nAuthorization and Monitoring of Logical Access\n\nDuring our FY 1999 audit (OIG Report No. 12-00-003-13-001), we found controls over the\nauthorizing and periodic monitoring of users having logical access to ETA\xe2\x80\x99s Unemployment\nInsurance Service systems are inadequate. We found that formal policies exist and procedures do\nexist for the authorization, modification, deletion/termination, periodic recertification of user\naccess and assignment of access via dial in methods. However, the following weaknesses were\nidentified:\n\n\xe2\x80\xa2      The National office on a monthly basis monitors UIS system access, however, the user\n       management is not involved in the recertification of access approval process. Authorized\n       users are identified on a user access list. But it is not distributed to the appropriate\n       regional managers for recertification approval. Three National Office management\n       personnel review the access control listing and approves removal of a UIS account.\n       However, the deleted account is not documented.\n\n\xe2\x80\xa2      User Account Request Form (ETA PC LAN & UI UNIX Network) tested had the following\n       weaknesses:\n       S     There is no authorization date and creation date of access.\n       S     The Requestor is recorded but not the authorizing agent\xe2\x80\x99s approval/signature.\n       S     Instructions for filling out the form do not exist.\n       S     New division names are not recorded on form.\n       S     Information that is inappropriate to fill out, did not indicate \xe2\x80\x9cinapplicable.\xe2\x80\x9d\n       S     Required information was missing or incomplete on 9 of 21 forms examined.\n\nWe made the following recommendation to the Chief Information Officer and the Assistant\nSecretaries:\n\n\xe2\x80\xa2      ensure agencies are in compliance with the computer security handbook and that the\n       agency SSPs (for its GSS and MAs) contain sufficient policies and procedures\n       governing the authorization, modification, removal, monitoring of access based upon\n       the concept of "least privileged," and the emergency access. A recertification should\n\n\n                                               103\n\x0c       be conducted of all IDS on the system and the business need documented. In addition,\n       IDS that have been granted access to production programs and data (outside of the\n       application) should be restricted from this level of access.\n\nDuring our FY 2000 review, we found UIS was updating procedures to include all Regional\nManagers in the creation, deletions, and recertification of regional user Unix accounts. The\nRegional manager will be notified (via e-mail) whenever a change to a regional account is\nrequested. Hard copies will be kept on file. A new User Account Request Form is being created.\nThis recommendation is resolved and open. Closure is dependent upon the OIG review of the\nupdated procedures in our FY 2001 audit.\n\nManagement\xe2\x80\x99s Response:\n\n1.     Procedures have been updated to communicate changes to the status of UNIX accounts of\n       Regional users to Management. Provided to the OIG with Response to Draft Report.\n\n2.     OWS has created a new user account request form which has been in use since November,\n       2000. Provided to the OIG with Response to Draft Report.\n\nOIG\xe2\x80\x99s Conclusion:\n\nThis recommendation remains resolved and open pending our review of the documentation\nprovided during our FY 2001 audit.\n\n\n\n\n                                             104\n\x0c'